lintai docs

Appearance

Rule Reference

SEC326lintai-ai-securitysupply-chainhardeningstablegithub_workflowwarn

GitHub Actions: pull_request_target checkout

GitHub Actions pull_request_target workflow checks out untrusted pull request head content

Public lane
supply-chain
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
github_workflow
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks pull_request_target workflows for actions/checkout steps that explicitly pull untrusted pull request head refs instead of the safer default merge context.

Deterministic signal basis

GithubWorkflowSignals event gating plus line-level checkout ref extraction for pull_request_target workflows.

Malicious corpus
github-workflow-pull-request-target-head-checkout
Benign corpus
github-workflow-pull-request-target-safe-checkout
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC324GitHub Actions: unpinned third-party actionGitHub Actions workflow uses a third-party action that is not pinned to a full commit SHAsupply-chainhardeninggithub_workflow
SEC327GitHub Actions: write-all tokenGitHub Actions workflow grants GITHUB_TOKEN write-all permissionssupply-chainhardeninggithub_workflow
SEC325GitHub Actions: untrusted expression in runGitHub Actions workflow interpolates untrusted expression data directly inside a run commandsupply-chainhardeninggithub_workflow
SEC328GitHub Actions: write-capable third-party actionGitHub Actions workflow combines explicit write-capable permissions with a third-party actionsupply-chainhardeninggithub_workflow

Why It Matters

pull_request_target runs with elevated repository context. If the workflow then checks out the untrusted pull request head, it effectively combines privileged context with attacker-controlled code.

What Triggers

SEC326 applies to semantically confirmed GitHub Actions workflow YAML and triggers when:

  • the workflow listens to pull_request_target
  • and an actions/checkout step explicitly checks out github.event.pull_request.head.* or github.head_ref

Example that triggers:

yaml
on:
  pull_request_target:
jobs:
  verify:
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}

Example that stays clean:

yaml
on:
  pull_request_target:
jobs:
  verify:
    steps:
      - uses: actions/checkout@v6

False Positives

The rule is structural and specifically tied to pull_request_target plus untrusted head checkout. It does not fire on ordinary pull_request workflows or on default checkout behavior.

Remediation

Avoid checking out untrusted pull request head refs in pull_request_target workflows. Keep the safer default merge-context behavior or split privileged and untrusted execution into separate jobs.