🐛 Discard GitHub token in dangerous workflow check (#1772)

* Discard GitHub token in dangerous workflow check

* missing files

Author: laurentsimon

checks/dangerous_workflow.go

@@ -466,8 +466,13 @@ func checkSecretInScript(script string, pos *actionlint.Pos, path string,
 			return sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
 		}
 
+		// Note: The default GitHub token is allowed, as it has
+		// only read permission for `pull_request`.
+		// For `pull_request_event`, we use other signals such as
+		// whether checkout action is used.
 		variable := strings.Trim(script[s:s+e+2], " ")
-		if strings.Contains(variable, "secrets.") {
+		if !strings.Contains(variable, "secrets.GITHUB_TOKEN") &&
+			strings.Contains(variable, "secrets.") {
 			line := fileparser.GetLineNumber(pos)
 			dl.Warn(&checker.LogMessage{
 				Path:   path,

checks/dangerous_workflow_test.go

@@ -241,6 +241,28 @@ func TestGithubDangerousWorkflow(t *testing.T) {
 				NumberOfDebug: 0,
 			},
 		},
+		{
+			name:     "default secret in pull request",
+			filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml",
+			expected: scut.TestReturn{
+				Error:         nil,
+				Score:         checker.MaxResultConfidence,
+				NumberOfWarn:  0,
+				NumberOfInfo:  0,
+				NumberOfDebug: 0,
+			},
+		},
+		{
+			name:     "default secret in pull request target",
+			filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml",
+			expected: scut.TestReturn{
+				Error:         nil,
+				Score:         checker.MinResultConfidence,
+				NumberOfWarn:  1,
+				NumberOfInfo:  0,
+				NumberOfDebug: 0,
+			},
+		},
 		{
 			name:     "secret in top env no checkout pull request target",
 			filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-secret-env-no-checkout-prt.yml",

checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml

@@ -0,0 +1,36 @@
+name: Close issue on Jira
+
+on:
+  pull_request
+
+env:
+  BLA: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  test1:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1.2.3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+        name: Use in env toJson
+
+      - uses: some/action@v1.2.3
+        with:
+          option: ${{ secrets.GITHUB_TOKEN }}
+        name: Use secret in args
+
+      - name: Use in with toJson
+        env:
+          GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            echo "$GITHUB_CONTEXT"
+            echo "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Use in with toJson
+        uses: some/action@v1.2.3
+        env:
+          GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            echo "$GITHUB_CONTEXT"
+            echo "${{ secrets.GITHUB_TOKEN }}"

checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml

@@ -0,0 +1,36 @@
+name: Close issue on Jira
+
+on:
+  pull_request_target
+
+env:
+  BLA: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  test1:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1.2.3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+        name: Use in env toJson
+
+      - uses: some/action@v1.2.3
+        with:
+          option: ${{ secrets.GITHUB_TOKEN }}
+        name: Use secret in args
+
+      - name: Use in with toJson
+        env:
+          GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            echo "$GITHUB_CONTEXT"
+            echo "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Use in with toJson
+        uses: some/action@v1.2.3
+        env:
+          GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            echo "$GITHUB_CONTEXT"
+            echo "${{ secrets.GITHUB_TOKEN }}"