lintai docs

Appearance

Rule Reference

SEC326lintai-ai-securitystablegithub_workflowwarn

GitHub Actions: pull_request_target checkout

GitHub Actions pull_request_target workflow checks out untrusted pull request head content

Provider
lintai-ai-security
Surface
github_workflow
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

supply-chainmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks pull_request_target workflows for actions/checkout steps that explicitly pull untrusted pull request head refs instead of the safer default merge context.

Deterministic signal basis

GithubWorkflowSignals event gating plus line-level checkout ref extraction for pull_request_target workflows.

Malicious corpus
github-workflow-pull-request-target-head-checkout
Benign corpus
github-workflow-pull-request-target-safe-checkout
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC324GitHub Actions: unpinned third-party actionGitHub Actions workflow uses a third-party action that is not pinned to a full commit SHAgithub_workflowstable
SEC327GitHub Actions: write-all tokenGitHub Actions workflow grants GITHUB_TOKEN write-all permissionsgithub_workflowstable
SEC325GitHub Actions: untrusted expression in runGitHub Actions workflow interpolates untrusted expression data directly inside a run commandgithub_workflowpreview
SEC328GitHub Actions: write-capable third-party actionGitHub Actions workflow combines explicit write-capable permissions with a third-party actiongithub_workflowpreview

Why It Matters

pull_request_target runs with elevated repository context. If the workflow then checks out the untrusted pull request head, it effectively combines privileged context with attacker-controlled code.

What Triggers

SEC326 applies to semantically confirmed GitHub Actions workflow YAML and triggers when:

  • the workflow listens to pull_request_target
  • and an actions/checkout step explicitly checks out github.event.pull_request.head.* or github.head_ref

Example that triggers:

yaml
on:
  pull_request_target:
jobs:
  verify:
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}

Example that stays clean:

yaml
on:
  pull_request_target:
jobs:
  verify:
    steps:
      - uses: actions/checkout@v6

False Positives

The rule is structural and specifically tied to pull_request_target plus untrusted head checkout. It does not fire on ordinary pull_request workflows or on default checkout behavior.

Remediation

Avoid checking out untrusted pull request head refs in pull_request_target workflows. Keep the safer default merge-context behavior or split privileged and untrusted execution into separate jobs.