You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Automated scan from Lictor flagged a pull_request_target workflow that checks out the PR head SHA/ref. That's the pattern of the classic GitHub Actions RCE β but exploitability depends on your guards. I verified the pattern, not exploitability.
What I saw:pull_request_target + a checkout step referencing the head ref.
Why it might matter: without label gates / approved-ci / fork-PR filters, fork PRs can run with write-scoped tokens.
What to check: the workflow file the scan flagged. If your guards are sufficient (label requirement, dependabot-only, head.repo.full_name check, etc.), this is a non-issue β close out and a quick note helps me tune the scanner. For the exact file/line, reply here or email Raffa@Lictor-AI.com.
Either way β thank you for the work you do on this repo. π
Hi π
Automated scan from Lictor flagged a
pull_request_targetworkflow that checks out the PR head SHA/ref. That's the pattern of the classic GitHub Actions RCE β but exploitability depends on your guards. I verified the pattern, not exploitability.pull_request_target+ a checkout step referencing the head ref.Either way β thank you for the work you do on this repo. π
β Raffa Β· Lictor (open-source, Apache 2.0)