Fix redundant casts and clarify actor-check wording

JamieMagee · JamieMagee · commit ba801869f984 · 2026-04-02T15:10:08.000-07:00
diff --git a/actions/ql/src/experimental/Security/CWE-290/SpoofableActorCheck.md b/actions/ql/src/experimental/Security/CWE-290/SpoofableActorCheck.md
@@ -2,7 +2,7 @@
 
 Many workflows use `github.actor` or `github.triggering_actor` to check if a specific bot (such as Dependabot or Renovate) triggered the workflow, and then bypass security checks or perform privileged actions. However, `github.actor` refers to the last actor to perform an "action" on the triggering context, not necessarily the actor that actually caused the trigger.
 
-An attacker can exploit this by creating a pull request where the HEAD commit has `github.actor == 'dependabot[bot]'` but the rest of the branch history contains attacker-controlled code, bypassing the actor check.
+An attacker can exploit this by creating a pull request where the workflow run's `github.actor` is `'dependabot[bot]'` (for example, because Dependabot was the latest actor on the PR), but the branch contains attacker-controlled code, bypassing the actor check.
 
 ## Recommendation
 
diff --git a/actions/ql/src/experimental/Security/CWE-798/HardcodedContainerCredentials.ql b/actions/ql/src/experimental/Security/CWE-798/HardcodedContainerCredentials.ql
@@ -24,17 +24,17 @@ YamlScalar getAHardcodedPassword(LocalJobImpl job, string context) {
   exists(YamlMapping creds |
     // Job-level container credentials
     creds =
-      job.getNode().lookup("container").(YamlMapping).lookup("credentials").(YamlMapping) and
+      job.getNode().lookup("container").(YamlMapping).lookup("credentials") and
     context = "container"
     or
     // Service-level container credentials
     exists(YamlMapping service |
-      service = job.getNode().lookup("services").(YamlMapping).lookup(_).(YamlMapping) and
-      creds = service.lookup("credentials").(YamlMapping) and
+      service = job.getNode().lookup("services").(YamlMapping).lookup(_) and
+      creds = service.lookup("credentials") and
       context = "service"
     )
   |
-    result = creds.lookup("password").(YamlScalar) and
+    result = creds.lookup("password") and
     // Not a ${{ }} expression reference (e.g. ${{ secrets.PASSWORD }})
     not result.getValue().regexpMatch("\\$\\{\\{.*\\}\\}")
   )
