| Field | Value |
|---|---|
| Category | CICD-SEC-5 |
| Severity | HIGH |
| Confidence | HIGH |
| OWASP | CICD-SEC-5: Insufficient PBAC |
| Auto-fix | ✗ |
What the check does
Enforces a repository’s action allow/deny policy from theforbidden-uses
block in .pipefort.yml. It matches every uses:
reference’s owner/repo (ignoring the @ref) against your patterns and flags
violations. The rule is silent unless a policy is configured.
allow and deny are mutually exclusive; allow wins if both are present.
Patterns are globs (someorg/*, actions/checkout); a bare owner (someorg)
matches its whole namespace.
Why it matters
Least-privilege for CI means constraining which third-party actions can run in your pipeline at all. An allow list turns “any action on the internet” into “a vetted set,” shrinking the supply-chain attack surface; a deny list blocks actions you’ve decided are untrustworthy. GitHub’s own org-level allowlist does this at the platform layer;forbidden-uses gives you the same control in-repo
and in the CLI, enforceable in CI before a merge.