Hi π
Automated scan from Lictor flagged a pull_request_target workflow that checks out the PR head SHA/ref. That's the pattern of the classic GitHub Actions RCE β but exploitability depends on your guards. I verified the pattern, not exploitability.
- What I saw:
pull_request_target + a checkout step referencing the head ref.
- Why it might matter: without label gates / approved-ci / fork-PR filters, fork PRs can run with write-scoped tokens.
- What to check: the workflow file the scan flagged. If your guards are sufficient (label requirement, dependabot-only, head.repo.full_name check, etc.), this is a non-issue β close out and a quick note helps me tune the scanner. For the exact file/line, reply here or email Raffa@Lictor-AI.com.
Either way β thank you for the work you do on this repo. π
β Raffa Β· Lictor (open-source, Apache 2.0)
Hi π
Automated scan from Lictor flagged a
pull_request_targetworkflow that checks out the PR head SHA/ref. That's the pattern of the classic GitHub Actions RCE β but exploitability depends on your guards. I verified the pattern, not exploitability.pull_request_target+ a checkout step referencing the head ref.Either way β thank you for the work you do on this repo. π
β Raffa Β· Lictor (open-source, Apache 2.0)