Home Original page

CWE coverage for GitHub Actions — CodeQL query help documentation

CWE-20 GitHub Actions actions/composite-action-sinks Composite Action Sinks CWE-20 GitHub Actions actions/composite-action-sources Composite Action Sources CWE-20 GitHub Actions actions/composite-action-summaries Composite Action Summaries CWE-20 GitHub Actions actions/reusable-workflow-sinks Reusable Workflow Sinks CWE-20 GitHub Actions actions/reusable-workflow-sources Reusable Workflow Sources CWE-20 GitHub Actions actions/reusable-workflow-summaries Reusable Workflows Summaries CWE-20 GitHub Actions actions/envpath-injection/critical PATH environment variable built from user-controlled sources CWE-20 GitHub Actions actions/envpath-injection/medium PATH environment variable built from user-controlled sources CWE-20 GitHub Actions actions/envvar-injection/critical Environment variable built from user-controlled sources CWE-20 GitHub Actions actions/envvar-injection/medium Environment variable built from user-controlled sources CWE-74 GitHub Actions actions/envpath-injection/critical PATH environment variable built from user-controlled sources CWE-74 GitHub Actions actions/envpath-injection/medium PATH environment variable built from user-controlled sources CWE-74 GitHub Actions actions/envvar-injection/critical Environment variable built from user-controlled sources CWE-74 GitHub Actions actions/envvar-injection/medium Environment variable built from user-controlled sources CWE-74 GitHub Actions actions/code-injection/critical Code injection CWE-74 GitHub Actions actions/code-injection/medium Code injection CWE-74 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-74 GitHub Actions actions/output-clobbering/high Output Clobbering CWE-74 GitHub Actions actions/command-injection/critical Command built from user-controlled sources CWE-74 GitHub Actions actions/command-injection/medium Command built from user-controlled sources CWE-74 GitHub Actions actions/argument-injection/critical Argument injection CWE-74 GitHub Actions actions/argument-injection/medium Argument injection CWE-77 GitHub Actions actions/envpath-injection/critical PATH environment variable built from user-controlled sources CWE-77 GitHub Actions actions/envpath-injection/medium PATH environment variable built from user-controlled sources CWE-77 GitHub Actions actions/envvar-injection/critical Environment variable built from user-controlled sources CWE-77 GitHub Actions actions/envvar-injection/medium Environment variable built from user-controlled sources CWE-77 GitHub Actions actions/command-injection/critical Command built from user-controlled sources CWE-77 GitHub Actions actions/command-injection/medium Command built from user-controlled sources CWE-77 GitHub Actions actions/argument-injection/critical Argument injection CWE-77 GitHub Actions actions/argument-injection/medium Argument injection CWE-78 GitHub Actions actions/command-injection/critical Command built from user-controlled sources CWE-78 GitHub Actions actions/command-injection/medium Command built from user-controlled sources CWE-88 GitHub Actions actions/argument-injection/critical Argument injection CWE-88 GitHub Actions actions/argument-injection/medium Argument injection CWE-94 GitHub Actions actions/code-injection/critical Code injection CWE-94 GitHub Actions actions/code-injection/medium Code injection CWE-94 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-95 GitHub Actions actions/code-injection/critical Code injection CWE-95 GitHub Actions actions/code-injection/medium Code injection CWE-116 GitHub Actions actions/code-injection/critical Code injection CWE-116 GitHub Actions actions/code-injection/medium Code injection CWE-200 GitHub Actions actions/secret-exfiltration Secret exfiltration CWE-284 GitHub Actions actions/improper-access-control Improper Access Control CWE-284 GitHub Actions actions/pr-on-self-hosted-runner Pull Request code execution on self-hosted runner CWE-285 GitHub Actions actions/improper-access-control Improper Access Control CWE-311 GitHub Actions actions/excessive-secrets-exposure Excessive Secrets Exposure CWE-311 GitHub Actions actions/secrets-in-artifacts Storage of sensitive information in GitHub Actions artifact CWE-311 GitHub Actions actions/unmasked-secret-exposure Unmasked Secret Exposure CWE-312 GitHub Actions actions/excessive-secrets-exposure Excessive Secrets Exposure CWE-312 GitHub Actions actions/secrets-in-artifacts Storage of sensitive information in GitHub Actions artifact CWE-312 GitHub Actions actions/unmasked-secret-exposure Unmasked Secret Exposure CWE-345 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-345 GitHub Actions actions/cache-poisoning/direct-cache Cache Poisoning via caching of untrusted files CWE-345 GitHub Actions actions/cache-poisoning/poisonable-step Cache Poisoning via execution of untrusted code CWE-349 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-349 GitHub Actions actions/cache-poisoning/direct-cache Cache Poisoning via caching of untrusted files CWE-349 GitHub Actions actions/cache-poisoning/poisonable-step Cache Poisoning via execution of untrusted code CWE-362 GitHub Actions actions/untrusted-checkout-toctou/critical Untrusted Checkout TOCTOU CWE-362 GitHub Actions actions/untrusted-checkout-toctou/high Untrusted Checkout TOCTOU CWE-367 GitHub Actions actions/untrusted-checkout-toctou/critical Untrusted Checkout TOCTOU CWE-367 GitHub Actions actions/untrusted-checkout-toctou/high Untrusted Checkout TOCTOU CWE-441 GitHub Actions actions/request-forgery Uncontrolled data used in network request CWE-610 GitHub Actions actions/request-forgery Uncontrolled data used in network request CWE-664 GitHub Actions actions/code-injection/critical Code injection CWE-664 GitHub Actions actions/code-injection/medium Code injection CWE-664 GitHub Actions actions/improper-access-control Improper Access Control CWE-664 GitHub Actions actions/excessive-secrets-exposure Excessive Secrets Exposure CWE-664 GitHub Actions actions/secrets-in-artifacts Storage of sensitive information in GitHub Actions artifact CWE-664 GitHub Actions actions/unmasked-secret-exposure Unmasked Secret Exposure CWE-664 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-664 GitHub Actions actions/artifact-poisoning/critical Artifact poisoning CWE-664 GitHub Actions actions/artifact-poisoning/medium Artifact poisoning CWE-664 GitHub Actions actions/unpinned-tag Unpinned tag for a non-immutable Action in workflow CWE-664 GitHub Actions actions/untrusted-checkout/critical Checkout of untrusted code in a privileged context CWE-664 GitHub Actions actions/untrusted-checkout/high Checkout of untrusted code in trusted context CWE-664 GitHub Actions actions/untrusted-checkout/medium Checkout of untrusted code in trusted context CWE-664 GitHub Actions actions/secret-exfiltration Secret exfiltration CWE-664 GitHub Actions actions/pr-on-self-hosted-runner Pull Request code execution on self-hosted runner CWE-664 GitHub Actions actions/artifact-poisoning/path-traversal Artifact Poisoning (Path Traversal) CWE-664 GitHub Actions actions/unversioned-immutable-action Unversioned Immutable Action CWE-664 GitHub Actions actions/request-forgery Uncontrolled data used in network request CWE-668 GitHub Actions actions/secret-exfiltration Secret exfiltration CWE-669 GitHub Actions actions/artifact-poisoning/critical Artifact poisoning CWE-669 GitHub Actions actions/artifact-poisoning/medium Artifact poisoning CWE-669 GitHub Actions actions/unpinned-tag Unpinned tag for a non-immutable Action in workflow CWE-669 GitHub Actions actions/untrusted-checkout/critical Checkout of untrusted code in a privileged context CWE-669 GitHub Actions actions/untrusted-checkout/high Checkout of untrusted code in trusted context CWE-669 GitHub Actions actions/untrusted-checkout/medium Checkout of untrusted code in trusted context CWE-669 GitHub Actions actions/artifact-poisoning/path-traversal Artifact Poisoning (Path Traversal) CWE-669 GitHub Actions actions/unversioned-immutable-action Unversioned Immutable Action CWE-691 GitHub Actions actions/code-injection/critical Code injection CWE-691 GitHub Actions actions/code-injection/medium Code injection CWE-691 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-691 GitHub Actions actions/untrusted-checkout-toctou/critical Untrusted Checkout TOCTOU CWE-691 GitHub Actions actions/untrusted-checkout-toctou/high Untrusted Checkout TOCTOU CWE-693 GitHub Actions actions/composite-action-sinks Composite Action Sinks CWE-693 GitHub Actions actions/composite-action-sources Composite Action Sources CWE-693 GitHub Actions actions/composite-action-summaries Composite Action Summaries CWE-693 GitHub Actions actions/reusable-workflow-sinks Reusable Workflow Sinks CWE-693 GitHub Actions actions/reusable-workflow-sources Reusable Workflow Sources CWE-693 GitHub Actions actions/reusable-workflow-summaries Reusable Workflows Summaries CWE-693 GitHub Actions actions/envpath-injection/critical PATH environment variable built from user-controlled sources CWE-693 GitHub Actions actions/envpath-injection/medium PATH environment variable built from user-controlled sources CWE-693 GitHub Actions actions/envvar-injection/critical Environment variable built from user-controlled sources CWE-693 GitHub Actions actions/envvar-injection/medium Environment variable built from user-controlled sources CWE-693 GitHub Actions actions/improper-access-control Improper Access Control CWE-693 GitHub Actions actions/excessive-secrets-exposure Excessive Secrets Exposure CWE-693 GitHub Actions actions/secrets-in-artifacts Storage of sensitive information in GitHub Actions artifact CWE-693 GitHub Actions actions/unmasked-secret-exposure Unmasked Secret Exposure CWE-693 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-693 GitHub Actions actions/cache-poisoning/direct-cache Cache Poisoning via caching of untrusted files CWE-693 GitHub Actions actions/cache-poisoning/poisonable-step Cache Poisoning via execution of untrusted code CWE-693 GitHub Actions actions/pr-on-self-hosted-runner Pull Request code execution on self-hosted runner CWE-707 GitHub Actions actions/envpath-injection/critical PATH environment variable built from user-controlled sources CWE-707 GitHub Actions actions/envpath-injection/medium PATH environment variable built from user-controlled sources CWE-707 GitHub Actions actions/envvar-injection/critical Environment variable built from user-controlled sources CWE-707 GitHub Actions actions/envvar-injection/medium Environment variable built from user-controlled sources CWE-707 GitHub Actions actions/code-injection/critical Code injection CWE-707 GitHub Actions actions/code-injection/medium Code injection CWE-707 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-707 GitHub Actions actions/output-clobbering/high Output Clobbering CWE-707 GitHub Actions actions/command-injection/critical Command built from user-controlled sources CWE-707 GitHub Actions actions/command-injection/medium Command built from user-controlled sources CWE-707 GitHub Actions actions/argument-injection/critical Argument injection CWE-707 GitHub Actions actions/argument-injection/medium Argument injection CWE-829 GitHub Actions actions/artifact-poisoning/critical Artifact poisoning CWE-829 GitHub Actions actions/artifact-poisoning/medium Artifact poisoning CWE-829 GitHub Actions actions/unpinned-tag Unpinned tag for a non-immutable Action in workflow CWE-829 GitHub Actions actions/untrusted-checkout/critical Checkout of untrusted code in a privileged context CWE-829 GitHub Actions actions/untrusted-checkout/high Checkout of untrusted code in trusted context CWE-829 GitHub Actions actions/untrusted-checkout/medium Checkout of untrusted code in trusted context CWE-829 GitHub Actions actions/artifact-poisoning/path-traversal Artifact Poisoning (Path Traversal) CWE-829 GitHub Actions actions/unversioned-immutable-action Unversioned Immutable Action CWE-913 GitHub Actions actions/code-injection/critical Code injection CWE-913 GitHub Actions actions/code-injection/medium Code injection CWE-913 GitHub Actions actions/cache-poisoning/code-injection Cache Poisoning via low-privileged code injection CWE-918 GitHub Actions actions/request-forgery Uncontrolled data used in network request CWE-922 GitHub Actions actions/excessive-secrets-exposure Excessive Secrets Exposure CWE-922 GitHub Actions actions/secrets-in-artifacts Storage of sensitive information in GitHub Actions artifact CWE-922 GitHub Actions actions/unmasked-secret-exposure Unmasked Secret Exposure CWE-1395 GitHub Actions actions/vulnerable-action Use of a known vulnerable action