- Alerts produced by the query
actions/missing-workflow-permissionsnow include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
- Fixed typos in the query and alert titles for the queries
actions/envpath-injection/critical,actions/envpath-injection/medium,actions/envvar-injection/critical, andactions/envvar-injection/medium.
No user-facing changes.
- The
actions/unversioned-immutable-actionquery will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query has also been moved to the experimental folder and will not be used in code scanning unless it is explicitly added to a code scanning configuration. Once the Immutable Actions feature is available, the query will be updated to report alerts again.
-
The following queries have been removed from the
code-scanningandsecurity-extendedsuites. Any existing alerts for these queries will be closed automatically.actions/if-expression-always-true/criticalactions/if-expression-always-true/highactions/unnecessary-use-of-advanced-config
-
The following query has been moved from the
code-scanningsuite to thesecurity-extendedsuite. Any existing alerts for this query will be closed automatically unless the analysis is configured to use thesecurity-extendedsuite.actions/unpinned-tag
-
The following queries have been added to the
security-extendedsuite.actions/unversioned-immutable-actionactions/envpath-injection/mediumactions/envvar-injection/mediumactions/code-injection/mediumactions/artifact-poisoning/mediumactions/untrusted-checkout/medium
- Fixed false positives in the query
actions/unpinned-tag(CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
No user-facing changes.
No user-facing changes.
- Initial public preview release