Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

FieldValue
CategoryCICD-SEC-5
SeverityMEDIUM
Auto-fix
SourceRepository configuration

What the check does

Reads GET /repos/{owner}/{repo}/actions/permissions. Fires when allowed_actions is "all" and Actions is enabled.

Why it matters

When all marketplace actions are allowed, any of them can run in your CI — including actions that:
  • Were published yesterday and have one star.
  • Were recently transferred to a different (potentially attacker-controlled) account.
  • Have been compromised at the publisher level (see the tj-actions/changed-files incident from 2025).
Pinning to a SHA (CICD-SEC-3) protects against an action being mutated under your feet, but it doesn’t prevent a new malicious action from being introduced in a future PR. An allowlist provides defense in depth at the policy level.

How to fix

Settings → Actions → General → Actions permissions → select either:
  • Allow {owner}, and select non-{owner}, actions and reusable workflows — most useful for orgs. Curate a list of trusted publishers (e.g., actions/*, github/*, your common third-party packages) and require approval for additions.
  • Allow {owner} actions and reusable workflows — strictest option; only first-party actions can run.
For broader org-wide allowlists, configure the same setting at the organization level under Organization settings → Actions.