Runner-Guard Security Finding
Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Occurrences: 1,451 findings across 16 unique workflows
Description
Workflows triggered by issue_comment, pull_request_review_comment, or workflow_run events access secrets or have write permissions but do not verify the comment author's authorization level before executing privileged operations.
The issue_comment event fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check on github.event.comment.author_association, any external user can trigger these workflows by posting a comment on any open issue or pull request.
Impact
- Any unauthenticated external user can trigger privileged CI/CD operations
- Workflows with write permissions or secret access become exploitable by arbitrary commenters
- Potential for secret exfiltration, repository content modification, or unauthorized deployments
Affected Workflows (16 unique)
ace-editor, ai-moderator, archie, architecture-guardian, artifacts-summary, auto-triage-issues, brave, cloclo, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review
Remediation
Add an authorization check to each affected job's if: condition:
jobs:
agent:
# Restrict comment-triggered jobs to authorized users only
if: |
github.event_name != 'issue_comment' ||
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
permissions:
contents: writeAlternatively, use a dedicated allowlist check step at the start of each job:
- name: Check commenter authorization
if: github.event_name == 'issue_comment'
run: |
ASSOC="${{ github.event.comment.author_association }}"
if [[ "$ASSOC" != "OWNER" && "$ASSOC" != "MEMBER" && "$ASSOC" != "COLLABORATOR" ]]; then
echo "::error::Unauthorized commenter (association: $ASSOC)"
exit 1
fi
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25206730082
Generated by Static Analysis Report · ● 332.6K · ◷
Runner-Guard Security Finding
Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Occurrences: 1,451 findings across 16 unique workflows
Description
Workflows triggered by
issue_comment,pull_request_review_comment, orworkflow_runevents access secrets or have write permissions but do not verify the comment author's authorization level before executing privileged operations.The
issue_commentevent fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check ongithub.event.comment.author_association, any external user can trigger these workflows by posting a comment on any open issue or pull request.Impact
Affected Workflows (16 unique)
ace-editor,ai-moderator,archie,architecture-guardian,artifacts-summary,auto-triage-issues,brave,cloclo,grumpy-reviewer,mergefest,pdf-summary,plan,pr-nitpick-reviewer,q,scout,security-reviewRemediation
Add an authorization check to each affected job's
if:condition:Alternatively, use a dedicated allowlist check step at the start of each job:
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25206730082