🚨 Runner-Guard Security Finding
Rule: RGS-012 — Secret Exfiltration via Outbound HTTP Request
Severity: High
File: .github/workflows/daily-model-inventory.lock.yml
Lines: 1008, 1174, 1239, 1303 (4 findings in this file; also affects docs-noob-tester.lock.yml, unbloat-docs.lock.yml, visual-regression-checker.lock.yml)
Description
A run: block contains an outbound HTTP request command (curl, wget, httpie, python requests, node fetch, etc.) targeting a non-GitHub domain (i.e., not github.com, api.github.com, or ghcr.io) in a job context that has access to secrets or publishing capabilities.
This pattern is a strong indicator of credential exfiltration — the primary objective of most GitHub Actions supply-chain attacks. Attackers who achieve code execution in a CI runner (via expression injection, fork checkout, compromised action, etc.) need a way to exfiltrate stolen secrets to infrastructure they control. The most common method is an HTTP POST request to an attacker-owned domain carrying environment variables, secret values, or tokens as the request body.
Impact
While there are legitimate uses of outbound HTTP requests in CI (API calls, webhook notifications, deployment), the combination of external HTTP requests with secrets access in a workflow triggered by untrusted events is a high-confidence indicator of either active exploitation or a dangerous pattern that could be exploited. If the workflow is compromised, secrets could be exfiltrated to external attacker-controlled infrastructure.
Remediation
- Audit the outbound HTTP calls in the affected workflows to confirm they are legitimate (e.g., calling external model inventory APIs).
- Restrict network access using the gh-aw firewall to allowlist only known-good domains.
- Separate concerns: Move secret-dependent steps to a separate job that does not make external HTTP requests, or use a dedicated service account with minimal permissions.
- Add monitoring: Enable outbound network logging to detect unexpected external connections.
- If calls are confirmed legitimate, add a
# runner-guard:ignore RGS-012 comment with justification.
Affected workflows (8 total findings across 4 files):
daily-model-inventory.lock.yml (4 findings)docs-noob-tester.lock.ymlunbloat-docs.lock.ymlvisual-regression-checker.lock.yml
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25478184229
Generated by Static Analysis Report · ● 455.3K · ◷
🚨 Runner-Guard Security Finding
Rule: RGS-012 — Secret Exfiltration via Outbound HTTP Request
Severity: High
File:
.github/workflows/daily-model-inventory.lock.ymlLines: 1008, 1174, 1239, 1303 (4 findings in this file; also affects
docs-noob-tester.lock.yml,unbloat-docs.lock.yml,visual-regression-checker.lock.yml)Description
A
run:block contains an outbound HTTP request command (curl,wget,httpie,python requests,node fetch, etc.) targeting a non-GitHub domain (i.e., notgithub.com,api.github.com, orghcr.io) in a job context that has access to secrets or publishing capabilities.This pattern is a strong indicator of credential exfiltration — the primary objective of most GitHub Actions supply-chain attacks. Attackers who achieve code execution in a CI runner (via expression injection, fork checkout, compromised action, etc.) need a way to exfiltrate stolen secrets to infrastructure they control. The most common method is an HTTP POST request to an attacker-owned domain carrying environment variables, secret values, or tokens as the request body.
Impact
While there are legitimate uses of outbound HTTP requests in CI (API calls, webhook notifications, deployment), the combination of external HTTP requests with secrets access in a workflow triggered by untrusted events is a high-confidence indicator of either active exploitation or a dangerous pattern that could be exploited. If the workflow is compromised, secrets could be exfiltrated to external attacker-controlled infrastructure.
Remediation
# runner-guard:ignore RGS-012comment with justification.Affected workflows (8 total findings across 4 files):
daily-model-inventory.lock.yml(4 findings)docs-noob-tester.lock.ymlunbloat-docs.lock.ymlvisual-regression-checker.lock.ymlDetected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25478184229