Skip to content

[static-analysis] RGS-012: Secret Exfiltration via Outbound HTTP Request in visual-regression-checker #28626

Description

@github-actions

Rule: RGS-012 — Secret Exfiltration via Outbound HTTP Request
Severity: High
File: .github/workflows/visual-regression-checker.md
Lines: 387, 712

Description

Runner-Guard (RGS-012) detected two instances where run: blocks in the visual-regression-checker workflow contain outbound HTTP request commands (curl/wget/httpie/etc.) targeting a non-GitHub domain, in a job context that has access to secrets or publishing capabilities.

This is a new finding first appearing in the 2026-04-26 scan (not detected in previous scans).

Impact

When a run: block makes an outbound HTTP request to an external domain while the job has access to secrets, this creates a potential credential exfiltration path:

  • Attackers achieving code execution in a CI runner (via expression injection, fork checkout, compromised action, etc.) can exfiltrate secrets to infrastructure they control via HTTP POST
  • The most common supply-chain attack method is an HTTP POST to an attacker-owned domain carrying environment variables, secret values, or tokens as the request body
  • Even without active exploitation, the pattern means any future expression injection vulnerability in the same workflow gains an exfiltration channel

Remediation

  1. Audit the outbound HTTP calls: Identify what domains are being called at lines 387 and 712 in the compiled workflow (visual-regression-checker.lock.yml) and verify they are expected and safe
  2. Restrict secrets scope: Ensure the job or step making the HTTP request does not have access to secrets it doesn't need
  3. Apply least privilege: If the HTTP call is to a local/test server (e.g. localhost), verify the URL cannot be influenced by external user input
  4. Add firewall rules: Consider using the workflow firewall to allowlist outbound HTTP destinations

Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/24965334725

Generated by Static Analysis Report · ● 374.4K ·

  • expires on May 3, 2026, 7:49 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions