feat(rules): WF017 — detect secret-consuming action without presence gate#396
Merged
Merged
Conversation
…gate Forward-detection rule for the pattern just root-fixed in hyperpolymath/standards#305 (Mirror radicle / Instant Sync). Data-driven list of known secret-consuming actions; new entries don't require code changes. ## Detection Fires when a workflow step: - uses one of the curated `@secret_consuming_actions` (webfactory/ssh-agent, peter-evans/repository-dispatch, peter-evans/create-pull-request, actions-ecosystem/action-create-comment) - reads `${{ secrets.X }}` as its primary input - lacks an `if: secrets.X != ''` (or env-equivalent) gate ## Why Mirror radicle (26 repos) + Instant Sync (39 repos) caught on the 2026-05-30 estate audit. Both failed on every push on repos where the required secret hadn't been propagated. Source fix in standards#305 makes the no-secret path a clean `::notice` skip; this rule prevents the pattern from re-appearing in new workflows. ## Sensitivity / specificity 5/5 smoke tests pass: - ungated ssh-agent → fires - gated ssh-agent (`- if: secrets.X != ''` on the step) → silent - ungated repository-dispatch → fires - gated repository-dispatch → silent - generic actions/checkout (not in list, has token but uses GH_TOKEN) → silent The gate regex matches both `- if: …` (step-leading) and ` if: …` (interior key after a `- uses:` head), and both single- and double-quote styles + inline-`${{ … }}` and bare expression forms. Companion to PR #393 (WF014/WF015/WF016). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
## Summary Adds `[Unreleased] / Added` section to `CHANGELOG.adoc` enumerating the four `workflow_audit` rules added in PRs #393 + #396 during the 2026-05-30 estate CI/CD audit. ## Why Closing the documentation loop: the rules were merged with full `@doc` blocks in code, but the CHANGELOG had no corresponding entry. Future releases now have the right narrative. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 103 issues detected
View findings[
{
"reason": "Action urin 21 JRE\n uses: actions/setup-java@be666c2fcd27 needs attention",
"type": "unpinned_action",
"file": "verify-proofs.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in clusterfuzzlite.yml",
"type": "missing_timeout_minutes",
"file": "clusterfuzzlite.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Forward-detection rule for the pattern just root-fixed in hyperpolymath/standards#305 (Mirror radicle + Instant Sync secret-presence gates, 65 estate repos auto-fixed).
What WF017 detects
A workflow step that:
uses:one of@secret_consuming_actions(curated, data-driven)\${{ secrets.X }}as its primary inputif: secrets.X != ''gate (on the step or as an enclosing wrapper)Curated action list (initial)
webfactory/ssh-agentssh-private-keypeter-evans/repository-dispatchtokenpeter-evans/create-pull-requesttokenactions-ecosystem/action-create-commentgithub_tokenAdd new entries to
@secret_consuming_actions(no code change).Sensitivity / specificity smoke tests
webfactory/ssh-agentwebfactory/ssh-agent(- if: secrets.X != '')peter-evans/repository-dispatchpeter-evans/repository-dispatchactions/checkout(not in list)The gate regex handles both step-leading
- if:and interiorif:, both quote styles, and inline-\${{ … }}expressions.🤖 Generated with Claude Code