Will It Vibe logoWill It Vibe?
GHA-008Critical severity-25 points

Privileged trigger checks out pull-request-controlled code

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

A workflow triggered by pull_request_target or workflow_run checks out the pull request head ref or SHA. That runs attacker-controlled code with the base repository write token and secrets in scope, the classic "pwn request" pattern that leads to full repository and secret compromise.

Why it matters

Checking out the pull request head under pull_request_target or workflow_run runs attacker-controlled code with the base repository write token and secrets available. A malicious contributor can add a build script, a test, or a dependency install hook that reads your secrets and pushes to your repo. This is the most common way GitHub Actions pipelines get fully compromised.

How to fix it

Do not check out and run untrusted PR code in a privileged trigger. Split the pipeline: run the build and tests on the pull_request trigger (no secrets exposed to forks), and keep only trusted steps under pull_request_target. If you genuinely must build PR code with secrets, gate it behind a manual approval environment and a maintainer label check, and scope the token to the minimum needed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks