id: github-workflows-disclosure info: name: Github Workflow Disclosure author: dhiyaneshDk,geeknik severity: medium description: Github Workflow was exposed. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json metadata: max-request: 27 tags: exposure,config http: - method: GET path: - "{{BaseURL}}{{paths}}" payloads: paths: - "/.github/workflows/ci.yml" - "/.github/workflows/ci.yaml" - "/.github/workflows/CI.yml" - "/.github/workflows/main.yml" - "/.github/workflows/main.yaml" - "/.github/workflows/build.yml" - "/.github/workflows/build.yaml" - "/.github/workflows/test.yml" - "/.github/workflows/test.yaml" - "/.github/workflows/tests.yml" - "/.github/workflows/tests.yaml" - "/.github/workflows/release.yml" - "/.github/workflows/publish.yml" - "/.github/workflows/deploy.yml" - "/.github/workflows/push.yml" - "/.github/workflows/lint.yml" - "/.github/workflows/coverage.yml" - "/.github/workflows/release.yaml" - "/.github/workflows/pr.yml" - "/.github/workflows/automerge.yml" - "/.github/workflows/docker.yml" - "/.github/workflows/ci-generated.yml" - "/.github/workflows/ci-push.yml" - "/.github/workflows/ci-daily.yml" - "/.github/workflows/ci-issues.yml" - "/.github/workflows/smoosh-status.yml" - "/.github/workflows/snyk.yml" matchers-condition: and matchers: - type: regex regex: - "(?m)^\\s*\"?on\"?:" - "(?m)^\\s*\"?jobs\"?:" - "(?m)^\\s*\"?steps\"?:" - "(?m)^\\s*- \"?uses\"?:" part: body condition: and - type: status status: - 200 # digest: 4b0a00483046022100925b58bcf5901c31493c2152879124e7acaeac9514ebfb449594e371e6e098f1022100e656b6791b4519676ec26a69da7b1f9265aff35af2285bfc2784e6f011fe710b:922c64590222798bb761d5b6d8e72950