Skip to content

Security Advisory: Self-Hosted Runner Risk (Skor: 45/100) #200

Open
Open
Security Advisory: Self-Hosted Runner Risk (Skor: 45/100)#200

Description

@Notime02
Notime02
opened on Jun 22, 2026

Security Advisory: Self-Hosted Runner Risk Tespit Edildi

Merhaba,

Bu repo'da self-hosted GitHub Actions runner kullanildigi ve riskli trigger'larin bulundugu tespit edilmistir.

Tespit Edilen Sorunlar

  • Risk Skoru: 45/100
  • Trigger'lar: 4 workflow'da self-hosted runner var; RISKLI TETIKLEYICI: workflow_run in benchmark-tier.yml
  • Workflow'lar (4 adet):
    • benchmark-tier.yml
    • matrix-nightly-tier.yml
    • matrix-pr-tier.yml
    • matrix-weekend-tier.yml

Oneriler

  1. Self-hosted runner kullaniyorsaniz, runner'in guvenlik yamalarinin guncel oldugundan emin olun.
  2. Riskli trigger'lar (pull_request_target, issue_comment, workflow_run, repository_dispatch) kullaniyorsaniz, ek guvenlik onlemleri alin:
    • pull_request_target icin: base branch'i checkout ederken PR koduyla calismayin
    • issue_comment icin: sadece yetkili kullanicilarin trigger'layabildiginden emin olun
    • workflow_run icin: calisma ortamini kistlayin
  3. Runner erisimini sadece guvenilir workflow'larla sinirlandirin.
  4. Runner'in ag erisimini kistlayin.
  5. Token'larinizi sifreli sekilde (GitHub Secrets) saklayin.

Detayli dokuman: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Bu mesaj, guvenlik amaciyla otomatik olarak gonderilmistir. Herkesin bilgisayari guvende olsun.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions