Add lotp_targets field to untrusted_checkout_exec findings #386
+179
−56
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resolves the target file(s) an attacker should inject into when exploiting a pwn request vulnerability. Static targets use a lookup table (npm→package.json, make→Makefile, etc.), dynamic targets extract file paths via regex from step.run content. The field is an array (lotp_targets) to handle cases where a single run: block references multiple scripts. URL-based references are filtered out to only surface local repository files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR adds a lotp_targets field to untrusted_checkout_exec findings to identify which files an attacker would need to inject into when exploiting a pwn request vulnerability. The implementation uses static lookup tables for tools with standard configuration files (e.g., npm→package.json) and dynamic regex-based extraction for tools that reference script files in their execution commands (e.g., bash→*.sh files). URL-based references are filtered out to surface only local repository files.
Changes:
- Added
LOTPTargetsfield toFindingMetastruct in results.go as a string array with JSON taglotp_targets - Implemented target resolution logic in utils.rego with static mappings for 32 tools and dynamic patterns for bash, powershell, python, and chmod
- Integrated target resolution into untrusted_checkout_exec findings for GitHub Actions, Azure DevOps, and Tekton pipelines
- Added comprehensive test coverage including static targets, dynamic multi-file scenarios, and URL filtering
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| results/results.go | Added LOTPTargets field to FindingMeta struct for storing target file paths |
| opa/rego/poutine/utils.rego | Implemented lotp_targets resolution with static lookup table and dynamic regex patterns, including URL filtering and path normalization |
| opa/rego/rules/untrusted_checkout_exec.rego | Integrated lotp_targets into findings via _lotp_targets_meta helper function across GitHub Actions, Azure DevOps, and Tekton |
| scanner/inventory_test.go | Updated test expectations to verify lotp_targets for various tools including npm, pre-commit, bash, chmod, and vale |
| scanner/testdata/.github/workflows/test_new_fields.yml | Added test workflow with multi-script bash execution to test dynamic target extraction |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+82
to
+112
| lotp_static_targets := { | ||
| "ant": "build.xml", | ||
| "bundler": "Gemfile", | ||
| "cargo": "Cargo.toml", | ||
| "checkov": ".checkov.yml", | ||
| "docker": "Dockerfile", | ||
| "eslint": "eslint.config.js", | ||
| "golangci-lint": ".golangci.yml", | ||
| "gomplate": ".gomplate.yaml", | ||
| "goreleaser": ".goreleaser.yaml", | ||
| "gradle": "build.gradle", | ||
| "make": "Makefile", | ||
| "maven": "pom.xml", | ||
| "mkdocs": "mkdocs.yml", | ||
| "msbuild": "Directory.Build.props", | ||
| "mypy": "mypy.ini", | ||
| "npm": "package.json", | ||
| "phpstan": "phpstan.neon", | ||
| "pip": "requirements.txt", | ||
| "pre-commit": ".pre-commit-config.yaml", | ||
| "rake": "Rakefile", | ||
| "rubocop": ".rubocop.yml", | ||
| "sonar-scanner": "sonar-project.properties", | ||
| "stylelint": ".stylelintrc.js", | ||
| "terraform": "main.tf", | ||
| "tflint": ".tflint.hcl", | ||
| "tofu": "main.tf", | ||
| "vale": ".vale.ini", | ||
| "webpack": "webpack.config.js", | ||
| "yarn": "package.json", | ||
| } |
There was a problem hiding this comment.
Some tools in the static targets mapping use only one specific config file name, but many of these tools support multiple config file formats and names. For example:
- eslint supports: .eslintrc.js, .eslintrc.json, .eslintrc.yml, .eslintrc.yaml, .eslintrc, eslint.config.js, eslint.config.mjs, eslint.config.cjs, and package.json
- stylelint supports: .stylelintrc.js, .stylelintrc.json, .stylelintrc.yml, .stylelintrc.yaml, .stylelintrc, stylelint.config.js, stylelint.config.cjs, and package.json
- mypy supports: mypy.ini, .mypy.ini, pyproject.toml, and setup.cfg
While using the most common config file is a reasonable starting point, attackers could potentially use alternative config files that aren't listed here. Consider either:
- Expanding the mapping to support multiple possible target files per tool (e.g., making the value an array instead of a string)
- Adding a comment documenting that only the most common config file is listed for each tool
- Using dynamic patterns for tools with many config file variations
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves the target file(s) an attacker should inject into when exploiting a pwn request vulnerability. Static targets use a lookup table (npm→package.json, make→Makefile, etc.), dynamic targets extract file paths via regex from step.run content.
The field is an array (lotp_targets) to handle cases where a single run: block references multiple scripts. URL-based references are filtered out to only surface local repository files.