🚨 Runner-Guard Security Finding
Rule: RGS-018 — Suspicious Payload Execution Pattern
Severity: High
File: .github/workflows/api-consumption-report.lock.yml (and 34 others)
Line: 450
Description
A workflow run: block contains code patterns associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes heredoc-based inline script creation (e.g., cat > /path/script.sh << 'EOF'), eval+decode chains, known malware marker variables, persistence file paths, and C2 communication patterns.
These patterns are loaded from Runner Guard's threat signature database. A match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack.
Affected Workflows (35 total — sample)
api-consumption-report.lock.yml (line 450)discussion-task-miner.lock.yml (line 389)smoke-claude.lock.yml (line 1457)smoke-codex.lock.yml (lines 939, 2141)audit-workflows.lock.ymlchangeset.lock.ymlci-coach.lock.ymlcli-version-checker.lock.ymlcloclo.lock.ymlcopilot-agent-analysis.lock.ymldaily-issues-report.lock.ymldaily-news.lock.ymldeep-report.lock.ymlsmoke-copilot.lock.ymlstale-repo-identifier.lock.yml (+ 20 more)
Flagged Pattern Example
- name: Setup jq utilities directory
run: |
mkdir -p /tmp/gh-aw
cat > /tmp/gh-aw/jqschema.sh << 'EOF'
#!/usr/bin/env bash
jq -c 'def walk(f): ...; walk(.)'
EOF
chmod +x /tmp/gh-aw/jqschema.shThe heredoc (<< 'EOF') pattern combined with chmod +x and execution resembles supply chain IOC patterns that runner-guard flags as potentially obfuscated payload installation.
Impact
While the flagged code appears to be legitimate utility script setup, the pattern class it matches is commonly used in supply chain attacks to install and execute attacker-controlled payloads. If any upstream dependency (action, container image, or fetched script) were compromised, this pattern would provide an attacker a template for persistence.
Remediation
- Review each flagged
run: block to confirm legitimacy of inline script creation.
- Move inline scripts to checked-in files: Instead of creating scripts dynamically via heredoc, commit the scripts to the repository and reference them directly:
# Before (flagged):
- name: Setup utilities
run: |
cat > /tmp/script.sh << 'EOF'
#!/bin/bash
jq -c 'def walk(f): ...; walk(.)'
EOF
chmod +x /tmp/script.sh
# After (safe):
- name: Setup utilities
run: |
cp scripts/jqschema.sh /tmp/gh-aw/jqschema.sh
chmod +x /tmp/gh-aw/jqschema.sh
- If the inline script is necessary (e.g., dynamically generated), add a
# runner-guard:ignore RGS-018 comment with justification.
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25538644099
Generated by Static Analysis Report · ● 438.8K · ◷
🚨 Runner-Guard Security Finding
Rule: RGS-018 — Suspicious Payload Execution Pattern
Severity: High
File:
.github/workflows/api-consumption-report.lock.yml(and 34 others)Line: 450
Description
A workflow
run:block contains code patterns associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes heredoc-based inline script creation (e.g.,cat > /path/script.sh << 'EOF'), eval+decode chains, known malware marker variables, persistence file paths, and C2 communication patterns.These patterns are loaded from Runner Guard's threat signature database. A match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack.
Affected Workflows (35 total — sample)
api-consumption-report.lock.yml(line 450)discussion-task-miner.lock.yml(line 389)smoke-claude.lock.yml(line 1457)smoke-codex.lock.yml(lines 939, 2141)audit-workflows.lock.ymlchangeset.lock.ymlci-coach.lock.ymlcli-version-checker.lock.ymlcloclo.lock.ymlcopilot-agent-analysis.lock.ymldaily-issues-report.lock.ymldaily-news.lock.ymldeep-report.lock.ymlsmoke-copilot.lock.ymlstale-repo-identifier.lock.yml(+ 20 more)Flagged Pattern Example
The heredoc (
<< 'EOF') pattern combined withchmod +xand execution resembles supply chain IOC patterns that runner-guard flags as potentially obfuscated payload installation.Impact
While the flagged code appears to be legitimate utility script setup, the pattern class it matches is commonly used in supply chain attacks to install and execute attacker-controlled payloads. If any upstream dependency (action, container image, or fetched script) were compromised, this pattern would provide an attacker a template for persistence.
Remediation
run:block to confirm legitimacy of inline script creation.# runner-guard:ignore RGS-018comment with justification.Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25538644099