Workflows Should Not Be Allowed To Approve Pull Requests
policy name: actions_can_approve_pull_requests
severity: HIGH
Description
The default GitHub Actions configuration allows for workflows to approve pull requests. This could allow users to bypass code-review restrictions.
Threat Example(s)
Attackers can exploit this misconfiguration to bypass code-review restrictions by creating a workflow that approves their own pull request and then merging the pull request without anyone noticing, introducing malicious code that would go straight ahead to production.
Remediation
- Make sure you have admin permissions
- Go to the org’s settings page
- Enter ‘Actions - General’ tab
- Under ‘Workflow permissions’
- Uncheck ‘Allow GitHub actions to create and approve pull requests.’
- Click ‘Save’