- Fixed alert messages in
actions/artifact-poisoning/criticalandactions/artifact-poisoning/mediumas they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
- The query
actions/missing-workflow-permissionsno longer produces false positive results on reusable workflows where all callers set permissions.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Actions analysis now reports file coverage information on the CodeQL status page.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The query
actions/missing-workflow-permissionsis now aware of the minimal permissions needed for the actionsdeploy-pages,delete-package-versions,ai-inference. This should lead to better alert messages and better fix suggestions.
No user-facing changes.
- The following queries have been removed from the
security-and-qualitysuite. They are not intended to produce user-facing alerts describing vulnerabilities. Any existing alerts for these queries will be closed automatically.actions/composite-action-sinksactions/composite-action-sourcesactions/composite-action-summariesactions/reusable-workflow-sinks(renamed fromactions/reusable-wokflow-sinks)actions/reusable-workflow-sourcesactions/reusable-workflow-summaries
- Assigned a
security-severityto the queryactions/excessive-secrets-exposure.
- CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
- Alerts produced by the query
actions/missing-workflow-permissionsnow include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
- Fixed typos in the query and alert titles for the queries
actions/envpath-injection/critical,actions/envpath-injection/medium,actions/envvar-injection/critical, andactions/envvar-injection/medium.
No user-facing changes.
- The
actions/unversioned-immutable-actionquery will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query has also been moved to the experimental folder and will not be used in code scanning unless it is explicitly added to a code scanning configuration. Once the Immutable Actions feature is available, the query will be updated to report alerts again.
-
The following queries have been removed from the
code-scanningandsecurity-extendedsuites. Any existing alerts for these queries will be closed automatically.actions/if-expression-always-true/criticalactions/if-expression-always-true/highactions/unnecessary-use-of-advanced-config
-
The following query has been moved from the
code-scanningsuite to thesecurity-extendedsuite. Any existing alerts for this query will be closed automatically unless the analysis is configured to use thesecurity-extendedsuite.actions/unpinned-tag
-
The following queries have been added to the
security-extendedsuite.actions/unversioned-immutable-actionactions/envpath-injection/mediumactions/envvar-injection/mediumactions/code-injection/mediumactions/artifact-poisoning/mediumactions/untrusted-checkout/medium
- Fixed false positives in the query
actions/unpinned-tag(CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
No user-facing changes.
No user-facing changes.
- Initial public preview release