yaml.github-actions.semgrep-configuration.semgrep-github-action-push-without-branches.semgrep-github-action-push-without-branches
returntocorpAuthor
unknown
Download Count*
License
The 'branches' field (in the push event configuration) contains no branches. This causes all branches to be scanned and may result in unneccessary duplicate findings across the entire codebase.
Run Locally
Run in CI
Defintion
rules:
- id: semgrep-github-action-push-without-branches
message: The 'branches' field (in the push event configuration) contains no
branches. This causes all branches to be scanned and may result in
unneccessary duplicate findings across the entire codebase.
severity: WARNING
languages:
- yaml
paths:
include:
- .github/workflows/semgrep.yml
- "*.test.yml"
patterns:
- pattern-either:
- pattern: |
on: [..., push, ...]
...
- pattern: |
on: push
...
- pattern: |
on:
...
push: ""
...
...
- pattern: |
on:
...
push: {}
...
...
- patterns:
- pattern-inside: |
on:
...
push: ...
...
...
- pattern-either:
- pattern: |
branches: ""
- pattern: |
branches: []
metadata:
category: correctness
technology:
- github-action
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
semgrep-github-action-push-without-branches.test.yml
---
on:
pull_request: {}
push:
# ok: semgrep-github-action-push-without-branches
branches:
- main
name: Semgrep
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: returntocorp/semgrep-action@v1
with:
publishToken: abc
---
on:
pull_request: {}
push:
# ruleid: semgrep-github-action-push-without-branches
branches:
name: Semgrep
jobs:
semgrep:
name: Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: returntocorp/semgrep-action@v1
with:
publishToken: abc
Short Link: https://sg.run/GOBn