Merge branch 'main' of https://github.com/robandpdx-org/workflow-script-injection

Author: robandpdx

.github/workflows/unpinned-action.yml

@@ -0,0 +1,14 @@
+on: [workflow_dispatch]
+
+name: "Unpinned Action Example"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+    - name: Checkout repository
+      uses: actions-third-party-mirror/checkout@v3
+
+    - run: |
+        ./build.sh

exercises/exercise-5.md

@@ -2,11 +2,11 @@
 ## Creating an Actions workflow to scan Workflow files using CodeQL
 In this section we are going to create an Actions workflow to scan existing workflows for any security weaknesses.
 
-In your repository, `click` on the [`Actions`](../../actions) tab
+In your repository, `click` on the [`Actions`](../../../actions) tab
 
 _**NOTE:** If `Actions`tab is not available (this should not happen since you are looking to scan Actions workflows after all), please contact your organization admin or repository admin to enable it. See [enabling Actions section in the documentation](https://docs.github.com/en/enterprise-cloud@latest/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) for more details._
 
-This will take you to the `Actions` page and now click on the `new workflow` button to create a workflow. Alternatively, you can click [this link](../../actions/new).
+This will take you to the `Actions` page and now click on the `new workflow` button to create a workflow. Alternatively, you can click [this link](../../../actions/new).
 
 This will put you in the `starter workflows` page. Enter `CodeQL Analysis` in the `Search` field and search. 
 You should see one result. Click on `Configure` button on the resulting workflow template. This will take you to the edit window of the the workflow file.
@@ -45,4 +45,4 @@ You'll see the details of the alert including the file where this weakness exist
 
 Modify the problematic workflow file as suggested, and commit the changes.
 
-Once the file is committed, it will trigger the `Actions Workflow CodeQL` and the alert should be resolved if the recommend fix was implemented.
+Once the file is committed, it will trigger the `Actions Workflow CodeQL` and the alert should be resolved if the recommend fix was implemented.

exercises/exercise-6.md

@@ -0,0 +1,85 @@
+# Exercise 6 - Enhance the detection of vulnerabilities using third party queries
+We know CodeQL is a perfect tool for detecting vulnerablities because:
+- It helps us to treat Workflows as code
+- Treat code as data and extract it into a database
+- Look for known vulnerabilities using built-in queries
+- Create custom queries and expand coverage;
+- Use code scanning to create alerts
+- Use actions to block PRs
+- Use deployment protection rules to block jobs
+
+In the next exercise we will explore how to expand the coverage by using third party queries to detect `unpinned` actions.
+
+## Unpinned Actions
+The individual jobs in a GitHub Actions workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and may be able to use the GITHUB_TOKEN to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. For information on some of the steps an attacker could take, see [Security hardening for GitHub Actions.](https://docs.github.com/en/enterprise-cloud@latest/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
+
+GitHub's Field Team's has built Custom CodeQL Queries, Suites, and Configurations to address several vulnerabilities and they have a query for `CWE-829` to detect Unpinned Actions. The queries are part of the https://github.com/advanced-security/codeql-queries/ repo. 
+
+In our exercise we have included a workflow file called `unpinned-action.yml` that has this vulnerability and our goal is to detect this vulnerability using the advanced security queries developed by the GitHub field team.
+
+## Create a code scanning config file.
+A custom configuration file is an alternative way to specify additional packs and queries to run. You can also use the file to disable the default queries, exclude or include specific queries, and to specify which directories to scan during analysis. See [Using a custom configuration file](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file)
+
+In this workshop we will customize to:
+- Add one addtional pack `advanced-security/codeql-javascript`
+- Add a path filter to only look at the workflows
+- Add a query filter to only use the Actions specific queries.
+_**NOTE:**_  The last two customizations are to improve the performance by reducing the codebase and using a narrow set of queries.
+
+  
+Create a config file in the root of the repository with the following name `codeql-config.yml`. Add the following contents in the file:
+```
+packs:
+  # Use the latest version of 'codeql-javascript' published by 'advanced-security'
+  - advanced-security/codeql-javascript
+query-filters:
+  - include:
+      tags contain: actions
+paths:
+  - '.github/workflows'
+```
+
+## Update the workflow.
+In the workflow file, use the config-file parameter of the init action to specify the path to the configuration file you want to use. In our exercise we load the configuration file `./codeql-config.yml`. The modified workflow file should look like this (comments have been removed for readability):
+
+```
+name: "Actions Workflow CodeQL"
+
+on:
+  push:
+    branches: [ "develop" ]
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        config-file: './codeql-config.yml'
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
+```
+
+When the file is committed, the `Actions WorkFlow CodeQL` workflow should be triggered. Once this is completed, check the `security` tab to see the alerts for the new vulnerability.
+