🚨 Runner-Guard Security Finding
Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Affected Workflows: 16 unique workflows (1,451 finding occurrences)
Description
A workflow is triggered by issue_comment, pull_request_review_comment, or workflow_run events and accesses secrets or has write permissions, but does not verify the comment author's authorization level before executing privileged operations.
The issue_comment event fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check on github.event.comment.author_association (e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.
Impact
If the workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users. The workflow_run trigger is similarly dangerous when it runs after a workflow that can be triggered by forks.
Affected Workflows
- ace-editor
- ai-moderator
- archie
- brave
- cloclo
- dev-hawk
- grumpy-reviewer
- mergefest
- pdf-summary
- plan
- pr-nitpick-reviewer
- q
- scout
- security-review
- tidy
- unbloat-docs
Remediation
Add an explicit author association check before any privileged operations in comment-triggered workflows:
- name: Check comment author authorization
if: |
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
run: echo "Authorized user"Alternatively, use a conditional job-level if: to gate the entire job on authorized users only.
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25244792701
Generated by Static Analysis Report · ● 581K · ◷
🚨 Runner-Guard Security Finding
Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Affected Workflows: 16 unique workflows (1,451 finding occurrences)
Description
A workflow is triggered by
issue_comment,pull_request_review_comment, orworkflow_runevents and accesses secrets or has write permissions, but does not verify the comment author's authorization level before executing privileged operations.The
issue_commentevent fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check ongithub.event.comment.author_association(e.g., requiringOWNER,MEMBER, orCOLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.Impact
If the workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users. The
workflow_runtrigger is similarly dangerous when it runs after a workflow that can be triggered by forks.Affected Workflows
Remediation
Add an explicit author association check before any privileged operations in comment-triggered workflows:
Alternatively, use a conditional job-level
if:to gate the entire job on authorized users only.Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25244792701