Runner Group Should Be Limited to Selected Repositories

policy name: runner_group_not_limited_to_selected_repositories

severity: MEDIUM

Description

Not limiting the runner group to selected repositories allows any user in the organization to execute workflows on the group’s runners. In case of inadequate security measures implemented on the hosted runner, malicious insider could create a repository with a workflow that exploits the runner’s vulnerabilities to move laterally inside your network.

Threat Example(s)

Hosted runners are usually part of the organization’s private network and can be easily misconfigured.

Create a workflow that runs on the hosted runner
Exploit the runner misconfigurations/known CVE’s to execute code inside the private network

Remediation

Go to the organization settings page
Go to Actions ➝ Runner groups
Under the ‘Repository Access’ section, select ‘Selected repositories’
Select the required repositories