Skip to content

[static-analysis] RGS-004: Comment-Triggered Workflow Without Author Authorization Check in scout.lock.ymlΒ #29158

Description

@github-actions

🚨 Runner-Guard Security Finding

Rule: RGS-004 β€” Comment-Triggered Workflow Without Author Authorization Check
Severity: High
File: .github/workflows/scout.lock.yml (and 15 other comment-triggered workflows)
Finding Count: 1,397 instances across 16 workflows

Description

A workflow is triggered by issue_comment, pull_request_review_comment, or workflow_run events and accesses secrets or has write permissions, but does not verify the comment author's authorization level before executing privileged operations.

The issue_comment event fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check on github.event.comment.author_association (e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.

Impact

If the workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users. This is a privilege escalation vulnerability that allows unauthenticated external actors to trigger privileged CI/CD operations.

Affected workflows (primary):

  • scout.lock.yml β€” 16+ jobs flagged, accesses ANTHROPIC_API_KEY
  • grumpy-reviewer.lock.yml β€” multiple jobs with write permissions
  • Other comment-triggered workflows: ace-editor, ai-moderator, archie, brave, cloclo, dev-hawk, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, security-review, tidy, unbloat-docs

Remediation

Add an explicit author association check at the start of all jobs that run on comment-triggered events:

Unauthorized: comment author is not a repo member

Or add an activation guard condition to the job itself:


Detected by runner-guard v2.6.0 β€” CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25118934458

Generated by Static Analysis Report Β· ● 433.2K Β· β—·

  • expires on May 6, 2026, 3:58 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions