Runner Group Should Be Limited to Private Repositories
policy name: runner_group_can_be_used_by_public_repositories
severity: HIGH
Description
Workflows from public repositories are allowed to run on GitHub Hosted Runners. When using GitHub Hosted Runners, it is recommended to allow only workflows from private repositories to run on these runners. to avoid being vulnerable to malicious actors using workflows from public repositories to break into your private network. In case of inadequate security measures implemented on the hosted runner, malicious actors could fork your repository and then create a pwn-request (a pull-request from a forked repository to the base repository with malicious intentions) that create a workflow that exploits these vulnerabilities and move laterally inside your network.
Threat Example(s)
Hosted runners are usually part of the organization’s private network and can be easily misconfigured.
- Create a workflow that runs on the public hosted runner
- Exploit the misconfigurations to execute code inside the private network
Remediation
- Go to the organization settings page
- Press Actions ➝ Runner groups
- Select the violating repository
- Uncheck Allow public repositories