From 5ff477fdbcbc9a2ff1585a35181600863fa2f534 Mon Sep 17 00:00:00 2001
From: Bill Napier <napier@pobox.com>
Date: Fri, 14 Feb 2025 00:37:07 +0000
Subject: [PATCH] Add workflow to scan actions

---
 .github/workflows/action_scanning.yml         | 43 +++++++++++++++++++
 .../pull_request_target_needs_exception.yml   | 15 +++++++
 2 files changed, 58 insertions(+)
 create mode 100644 .github/workflows/action_scanning.yml
 create mode 100644 semgrep-rules/actions/pull_request_target_needs_exception.yml

diff --git a/.github/workflows/action_scanning.yml b/.github/workflows/action_scanning.yml
new file mode 100644
index 0000000..1358644
--- /dev/null
+++ b/.github/workflows/action_scanning.yml
@@ -0,0 +1,43 @@
+name: Scan GitHub Action workflows files for security issues
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+     paths:
+      - '.github/workflows/**.ya?ml'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  semgrep:
+    name: semgrep-oss/scan
+    runs-on: ubuntu-latest
+
+    container:
+      image: semgrep/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+    
+    
+      - name: Run Actions semgrep scan
+        run: semgrep scan --sarif --config semgrep-rules/actions >> semgrep-results-actions.sarif
+    
+      - name: Save Actions SARIF results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: semgrep-scan-results-actions
+          path: semgrep-results-actions.sarif
+    
+      - name: Upload Actions SARIF result to the GitHub Security Dashboard
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep-results-actions.sarif
+        if: always()
diff --git a/semgrep-rules/actions/pull_request_target_needs_exception.yml b/semgrep-rules/actions/pull_request_target_needs_exception.yml
new file mode 100644
index 0000000..20ad109
--- /dev/null
+++ b/semgrep-rules/actions/pull_request_target_needs_exception.yml
@@ -0,0 +1,15 @@
+rules:
+  - id: pull-request-target-needs-exception
+    languages:
+      - yaml
+    severity: WARNING
+    message: pull_request_target for Google repos is only approved by exception.
+    metadata:
+      category: best-practice
+      technology:
+        - github-actions      
+    patterns:
+      - pattern-either:
+          - patterns:
+              - pattern-inside: "{on: ...}"
+              - pattern: pull_request_target
\ No newline at end of file