Module ghsec::checks::fork_pull_request_workflows

The fork_pull_request_workflows check ensures that the Fork pull request workflows from outside collaborators setting uses a secure value.

Allowing outside contributors to run CI workflows without being a known contributor or without approval is a security risk, since workflows that run in pull requests can be changed by the pull request triggering the workflow itself.

“Require approval for first-time contributors” should be the default in recently created repositories, and is a secure option since, as the name implies, requires approval to run workflows in pull requests made by new contributors.

Again, GitHub added pushed this feature to production without a corresponding API (see the discussion), so all this check can do is print a reminder with a link to the settings page for the corresponding repository.

Sources

• GitHub Docs
• Missing API Endpoint discussion

Structs

• ForkPullRequestWorkflows
  Implementation for the fork_pull_request_workflows check