🚨 Runner-Guard Security Finding
Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Affected Workflows: 16
Total Findings: 1,476
Description
A workflow is triggered by issue_comment events and accesses secrets or has write permissions, but does not verify the comment author's authorization level before executing privileged operations. The issue_comment event fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check on github.event.comment.author_association (e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.
Affected Workflows
ace-editorai-moderatorarchiebravecloclodev-hawkgrumpy-reviewermergefestpdf-summaryplanpr-nitpick-reviewerqscoutsecurity-reviewtidyunbloat-docs
Impact
If any of these workflows access secrets, perform deployments, or have write permissions, this effectively grants those privileges to arbitrary external users who can post a comment on any open issue or pull request.
Remediation
Add an authorization check at the start of every job that uses secrets or has write permissions in comment-triggered workflows:
- name: Verify comment author authorization
run: |
ASSOC="${{ github.event.comment.author_association }}"
if [[ "" != "OWNER" && "" != "MEMBER" && "" != "COLLABORATOR" ]]; then
echo "::error::Unauthorized: comment author association not permitted."
exit 1
fiAlternatively, use a job-level if condition:
jobs:
run:
if: |
github.event.comment.author_association == "OWNER" ||
github.event.comment.author_association == "MEMBER" ||
github.event.comment.author_association == "COLLABORATOR"
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25359631246
Generated by Static Analysis Report · ● 549K · ◷
🚨 Runner-Guard Security Finding
Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Affected Workflows: 16
Total Findings: 1,476
Description
A workflow is triggered by
issue_commentevents and accesses secrets or has write permissions, but does not verify the comment author's authorization level before executing privileged operations. Theissue_commentevent fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check ongithub.event.comment.author_association(e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.Affected Workflows
ace-editorai-moderatorarchiebravecloclodev-hawkgrumpy-reviewermergefestpdf-summaryplanpr-nitpick-reviewerqscoutsecurity-reviewtidyunbloat-docsImpact
If any of these workflows access secrets, perform deployments, or have write permissions, this effectively grants those privileges to arbitrary external users who can post a comment on any open issue or pull request.
Remediation
Add an authorization check at the start of every job that uses secrets or has write permissions in comment-triggered workflows:
Alternatively, use a job-level
ifcondition:Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25359631246