Hi —
Automated security scan flagged a pull_request_target workflow in your repo that checks out the PR's head SHA. This is the classic GitHub Actions RCE pattern: an external contributor can submit a PR that adds arbitrary code, the workflow runs that code with access to your repository secrets.
I'm not posting the specific file/line here for responsible-disclosure reasons.
Please contact me at Raffa@Lictor-AI.com and I'll send the exact workflow file + line + a 2-line patch.
A note: this came from an automated scan I manually verified before reaching out. If we're wrong, please reply and we'll close out.
Want this scan for your own project? Free, takes 60s: https://lictorai.com/scan
— Raffa
Lictor AI · https://lictorai.com
Hi —
Automated security scan flagged a
pull_request_targetworkflow in your repo that checks out the PR's head SHA. This is the classic GitHub Actions RCE pattern: an external contributor can submit a PR that adds arbitrary code, the workflow runs that code with access to your repository secrets.I'm not posting the specific file/line here for responsible-disclosure reasons.
Please contact me at Raffa@Lictor-AI.com and I'll send the exact workflow file + line + a 2-line patch.
A note: this came from an automated scan I manually verified before reaching out. If we're wrong, please reply and we'll close out.
Want this scan for your own project? Free, takes 60s: https://lictorai.com/scan
— Raffa
Lictor AI · https://lictorai.com