From 22e7b9a825f35cb9414e6ae999094777e29d10ea Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:35:12 -0500 Subject: [PATCH 01/10] Convert trusted actions list to data extension --- .../UseOfUnversionedImmutableAction.qll | 6 ++++++ .../trusted/trusted_actions_owner.model.yml | 8 ++++++++ actions/ql/lib/qlpack.yml | 1 + .../src/Security/CWE-829/UnpinnedActionsTag.ql | 17 +++++++++-------- 4 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index ef258fce2e5c..3fead3c8bf3e 100644 --- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -9,6 +9,12 @@ class UnversionedImmutableAction extends UsesStep { } } +// The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/ +// and can be extended with custom model packs as necessary. + +/** Holds for actions owner defined in data extensions */ +extensible predicate trustedActionsOwner(string owner); + bindingset[version] predicate isSemVer(string version) { // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix diff --git a/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml b/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml new file mode 100644 index 000000000000..7abf725ec6f7 --- /dev/null +++ b/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: codeql/actions-all + extensible: trustedActionsOwner + data: + - ["actions"] + - ["github"] + - ["advanced-security"] \ No newline at end of file diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index 83cdaabc80dd..d946ecdfa7fd 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -14,3 +14,4 @@ dataExtensions: - ext/manual/*.model.yml - ext/generated/**/*.model.yml - ext/config/*.yml + - codeql/actions/security/owner/**/*.model.yml diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index de8d3c2078a8..e36287ecb81e 100644 --- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -17,14 +17,15 @@ import codeql.actions.security.UseOfUnversionedImmutableAction bindingset[version] private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") } -bindingset[repo] -private predicate isTrustedOrg(string repo) { - repo.matches(["actions", "github", "advanced-security"] + "/%") +bindingset[nwo] +private predicate isTrustedOwner(string nwo) { + // Gets the segment before the first '/' in the name with owner(nwo) string + trustedActionsOwner(nwo.substring(0, nwo.indexOf("/"))) } -from UsesStep uses, string repo, string version, Workflow workflow, string name +from UsesStep uses, string nwo, string version, Workflow workflow, string name where - uses.getCallee() = repo and + uses.getCallee() = nwo and uses.getEnclosingWorkflow() = workflow and ( workflow.getName() = name @@ -32,9 +33,9 @@ where not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name ) and uses.getVersion() = version and - not isTrustedOrg(repo) and + not isTrustedOwner(nwo) and not isPinnedCommit(version) and - not isImmutableAction(uses, repo) + not isImmutableAction(uses, nwo) select uses.getCalleeNode(), - "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version + + "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version + "', not a pinned commit hash", uses, uses.toString() From 8f9aecd76ff072be9303f6e35ebf912a09166b0e Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:55:58 -0500 Subject: [PATCH 02/10] Add change notes for expanding Trusted Action owner list using data extensions --- actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md diff --git a/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md b/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md new file mode 100644 index 000000000000..eb92c4f2817f --- /dev/null +++ b/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md @@ -0,0 +1,4 @@ +--- +category: feature +--- +* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwner` on the query `actions/unpinned-tag` \ No newline at end of file From e4cfd97069ba3b96cd7ee441d73866a9b39a45f6 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 7 Jan 2025 17:01:33 -0500 Subject: [PATCH 03/10] Format --- actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index e36287ecb81e..27a35e3db302 100644 --- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -18,8 +18,8 @@ bindingset[version] private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") } bindingset[nwo] -private predicate isTrustedOwner(string nwo) { - // Gets the segment before the first '/' in the name with owner(nwo) string +private predicate isTrustedOwner(string nwo) { + // Gets the segment before the first '/' in the name with owner(nwo) string trustedActionsOwner(nwo.substring(0, nwo.indexOf("/"))) } From 35587ed3e789d887613d58e987a07e4dff1aa8a9 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 7 Jan 2025 17:02:37 -0500 Subject: [PATCH 04/10] Format lib --- .../codeql/actions/security/UseOfUnversionedImmutableAction.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 3fead3c8bf3e..4a6aca7f3525 100644 --- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -11,7 +11,6 @@ class UnversionedImmutableAction extends UsesStep { // The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/ // and can be extended with custom model packs as necessary. - /** Holds for actions owner defined in data extensions */ extensible predicate trustedActionsOwner(string owner); From 3e94a4c2bf9358488d5e08fe46652ffe214b4fd2 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 7 Jan 2025 17:22:24 -0500 Subject: [PATCH 05/10] Refactor trusted actions owner model - use existing data extensions config and yml folder - rename from trustedActionsOwner to trustedActionsOwnerDataModel - update related predicates --- .../ql/lib/change-notes/2025-01-07-trusted-owner-ext.md | 2 +- actions/ql/lib/codeql/actions/config/Config.qll | 7 +++++++ actions/ql/lib/codeql/actions/config/ConfigExtensions.qll | 6 ++++++ .../actions/security/UseOfUnversionedImmutableAction.qll | 5 ----- .../config/trusted_actions_owner.yml} | 2 +- actions/ql/lib/qlpack.yml | 1 - actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +- 7 files changed, 16 insertions(+), 9 deletions(-) rename actions/ql/lib/{codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml => ext/config/trusted_actions_owner.yml} (74%) diff --git a/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md b/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md index eb92c4f2817f..58a41ec36aac 100644 --- a/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md +++ b/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md @@ -1,4 +1,4 @@ --- category: feature --- -* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwner` on the query `actions/unpinned-tag` \ No newline at end of file +* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwnerDataModel` on the query `actions/unpinned-tag` \ No newline at end of file diff --git a/actions/ql/lib/codeql/actions/config/Config.qll b/actions/ql/lib/codeql/actions/config/Config.qll index 265d4bd820f8..c56e24a33294 100644 --- a/actions/ql/lib/codeql/actions/config/Config.qll +++ b/actions/ql/lib/codeql/actions/config/Config.qll @@ -126,6 +126,13 @@ predicate vulnerableActionsDataModel( */ predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) } +/** + * MaD models for trusted actions owners + * Fields: + * - owner: owner name + */ +predicate trustedActionsOwnerDataModel(string owner) { Extensions::trustedActionsOwnerDataModel(owner) } + /** * MaD models for untrusted git commands * Fields: diff --git a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll index 99ad7eb8df1b..047151d30f92 100644 --- a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -63,6 +63,12 @@ extensible predicate vulnerableActionsDataModel( */ extensible predicate immutableActionsDataModel(string action); + +/** + * Holds for trusted Actions owners. + */ +extensible predicate trustedActionsOwnerDataModel(string owner); + /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. */ diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index 4a6aca7f3525..ef258fce2e5c 100644 --- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -9,11 +9,6 @@ class UnversionedImmutableAction extends UsesStep { } } -// The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/ -// and can be extended with custom model packs as necessary. -/** Holds for actions owner defined in data extensions */ -extensible predicate trustedActionsOwner(string owner); - bindingset[version] predicate isSemVer(string version) { // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix diff --git a/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml b/actions/ql/lib/ext/config/trusted_actions_owner.yml similarity index 74% rename from actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml rename to actions/ql/lib/ext/config/trusted_actions_owner.yml index 7abf725ec6f7..c90b1afee769 100644 --- a/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml +++ b/actions/ql/lib/ext/config/trusted_actions_owner.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: codeql/actions-all - extensible: trustedActionsOwner + extensible: trustedActionsOwnerDataModel data: - ["actions"] - ["github"] diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index d946ecdfa7fd..83cdaabc80dd 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -14,4 +14,3 @@ dataExtensions: - ext/manual/*.model.yml - ext/generated/**/*.model.yml - ext/config/*.yml - - codeql/actions/security/owner/**/*.model.yml diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index 27a35e3db302..6bb2345fc26e 100644 --- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -20,7 +20,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f bindingset[nwo] private predicate isTrustedOwner(string nwo) { // Gets the segment before the first '/' in the name with owner(nwo) string - trustedActionsOwner(nwo.substring(0, nwo.indexOf("/"))) + trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/"))) } from UsesStep uses, string nwo, string version, Workflow workflow, string name From bccec0a711da0f48280a3f9054cec7f937c52184 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 7 Jan 2025 17:25:40 -0500 Subject: [PATCH 06/10] Format --- actions/ql/lib/codeql/actions/config/ConfigExtensions.qll | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll index 047151d30f92..68685f5874bb 100644 --- a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -63,8 +63,7 @@ extensible predicate vulnerableActionsDataModel( */ extensible predicate immutableActionsDataModel(string action); - -/** +/** * Holds for trusted Actions owners. */ extensible predicate trustedActionsOwnerDataModel(string owner); From 6b3098d26c5e696e4c9a6dfb324b5ce0e7276837 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 7 Jan 2025 19:26:18 -0500 Subject: [PATCH 07/10] Add configuration instructions for trusted Action publishers using data extensions --- .../Security/CWE-829/UnpinnedActionsTag.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md index d7c114f0404e..cdeca42249b7 100644 --- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -8,6 +8,42 @@ Using a tag for a 3rd party Action that is not pinned to a commit can lead to ex Pinning an action to a full length commit SHA is currently the only way to use a non-immutable action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. + +### Configuration + +If there is an Action publisher that you trust, you can include the owner name/organization in a data extension model pack to add it to the allow list for this query. Adding owners to this list will prevent security alerts when using unpinned tags for Actions published by that owner. + +#### Example + +To allow any Action from the publisher `octodemo`, such as `octodemo/3rd-party-action`, follow these steps: + +1. Create a data extension file `/models/trusted-owner.model.yml` with the following content: + + ```yaml + extensions: + - addsTo: + pack: codeql/actions-all + extensible: trustedActionsOwnerDataModel + data: + - ["octodemo"] + ``` + +2. Create a model pack file `/codeql-pack.yml` with the following content: + + ```yaml + name: my-org/actions-extensions-model-pack + version: 0.0.0 + library: true + extensionTargets: + codeql/actions-all: '*' + dataExtensions: + - models/**/*.yml + ``` + +3. Ensure that the model pack is included in your CodeQL analysis. + +By following these steps, you will add `octodemo` to the list of trusted Action publishers, and the query will no longer generate security alerts for unpinned tags from this publisher. + ## Examples ### Incorrect Usage @@ -25,3 +61,6 @@ Pinning an action to a full length commit SHA is currently the only way to use a ## References - [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) +- [Extending CodeQL coverage with CodeQL model packs in default setup](https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup) +- [Creating and working with CodeQL packs](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack) + From 26074bb7fe7c872e2d60677da3c561c6aba59bb0 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 9 Jan 2025 19:30:02 -0500 Subject: [PATCH 08/10] Make docs less verbose regarding codeql config + enhance changlog to highlight extensibility --- .../2025-01-07-trusted-owner-ext.md | 2 +- .../Security/CWE-829/UnpinnedActionsTag.md | 36 ------------------- 2 files changed, 1 insertion(+), 37 deletions(-) diff --git a/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md b/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md index 58a41ec36aac..f8593f3c44e2 100644 --- a/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md +++ b/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md @@ -1,4 +1,4 @@ --- category: feature --- -* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwnerDataModel` on the query `actions/unpinned-tag` \ No newline at end of file +* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a data extension model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. \ No newline at end of file diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md index cdeca42249b7..759b3e838b55 100644 --- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -8,42 +8,6 @@ Using a tag for a 3rd party Action that is not pinned to a commit can lead to ex Pinning an action to a full length commit SHA is currently the only way to use a non-immutable action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. - -### Configuration - -If there is an Action publisher that you trust, you can include the owner name/organization in a data extension model pack to add it to the allow list for this query. Adding owners to this list will prevent security alerts when using unpinned tags for Actions published by that owner. - -#### Example - -To allow any Action from the publisher `octodemo`, such as `octodemo/3rd-party-action`, follow these steps: - -1. Create a data extension file `/models/trusted-owner.model.yml` with the following content: - - ```yaml - extensions: - - addsTo: - pack: codeql/actions-all - extensible: trustedActionsOwnerDataModel - data: - - ["octodemo"] - ``` - -2. Create a model pack file `/codeql-pack.yml` with the following content: - - ```yaml - name: my-org/actions-extensions-model-pack - version: 0.0.0 - library: true - extensionTargets: - codeql/actions-all: '*' - dataExtensions: - - models/**/*.yml - ``` - -3. Ensure that the model pack is included in your CodeQL analysis. - -By following these steps, you will add `octodemo` to the list of trusted Action publishers, and the query will no longer generate security alerts for unpinned tags from this publisher. - ## Examples ### Incorrect Usage From f413c4f46734b49dd86f67366aae4545104fa6d4 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 9 Jan 2025 19:32:06 -0500 Subject: [PATCH 09/10] Remove codeql config references from query doc --- actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md index 759b3e838b55..f8ea2fdc82fe 100644 --- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md @@ -24,7 +24,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a ## References -- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) -- [Extending CodeQL coverage with CodeQL model packs in default setup](https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup) -- [Creating and working with CodeQL packs](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack) - +- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) \ No newline at end of file From 1a4c2058a0f0a3b2fdd0c42aa381b7a0473f1812 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Thu, 9 Jan 2025 19:39:06 -0500 Subject: [PATCH 10/10] codeql query format --- actions/ql/lib/codeql/actions/config/Config.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/actions/ql/lib/codeql/actions/config/Config.qll b/actions/ql/lib/codeql/actions/config/Config.qll index c56e24a33294..08bc7e860c67 100644 --- a/actions/ql/lib/codeql/actions/config/Config.qll +++ b/actions/ql/lib/codeql/actions/config/Config.qll @@ -131,7 +131,9 @@ predicate immutableActionsDataModel(string action) { Extensions::immutableAction * Fields: * - owner: owner name */ -predicate trustedActionsOwnerDataModel(string owner) { Extensions::trustedActionsOwnerDataModel(owner) } +predicate trustedActionsOwnerDataModel(string owner) { + Extensions::trustedActionsOwnerDataModel(owner) +} /** * MaD models for untrusted git commands