Skip to main content
FieldValue
CategoryCICD-SEC-5
SeverityHIGH
ConfidenceHIGH
OWASPCICD-SEC-5: Insufficient PBAC
Auto-fix

What the check does

Enforces a repository’s action allow/deny policy from the forbidden-uses block in .pipefort.yml. It matches every uses: reference’s owner/repo (ignoring the @ref) against your patterns and flags violations. The rule is silent unless a policy is configured.
# .pipefort.yml
forbidden-uses:
  deny: ["sketchy-org/*"]        # forbid these
  # — or —
  allow: ["actions/*", "myorg/*"] # permit only these
allow and deny are mutually exclusive; allow wins if both are present. Patterns are globs (someorg/*, actions/checkout); a bare owner (someorg) matches its whole namespace.

Why it matters

Least-privilege for CI means constraining which third-party actions can run in your pipeline at all. An allow list turns “any action on the internet” into “a vetted set,” shrinking the supply-chain attack surface; a deny list blocks actions you’ve decided are untrustworthy. GitHub’s own org-level allowlist does this at the platform layer; forbidden-uses gives you the same control in-repo and in the CLI, enforceable in CI before a merge.

Safe alternative

Adopt an allow list of vetted actions (pinned to SHAs), and pair it with GitHub’s org-level Actions permissions policy for defense in depth.