github · felickz · Jan 7, 2025 · Jan 7, 2025 · Jan 7, 2025 · Jan 7, 2025
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwner` on the query `actions/unpinned-tag`
diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
@@ -9,6 +9,12 @@ class UnversionedImmutableAction extends UsesStep {
   }
 }
 
+// The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/
+// and can be extended with custom model packs as necessary.
+
+/** Holds for actions owner defined in data extensions */
+extensible predicate trustedActionsOwner(string owner);
+
 bindingset[version]
 predicate isSemVer(string version) {
   // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix

diff --git a/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml b/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo: 
+      pack: codeql/actions-all
+      extensible: trustedActionsOwner
+    data:      
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]
diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml
@@ -14,3 +14,4 @@ dataExtensions:
   - ext/manual/*.model.yml
   - ext/generated/**/*.model.yml
   - ext/config/*.yml
+  - codeql/actions/security/owner/**/*.model.yml
@@ -17,24 +17,25 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
 bindingset[version]
 private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
 
-bindingset[repo]
-private predicate isTrustedOrg(string repo) {
-  repo.matches(["actions", "github", "advanced-security"] + "/%")
+bindingset[nwo]
+private predicate isTrustedOwner(string nwo) {  
+  // Gets the segment before the first '/' in the name with owner(nwo) string 
+  trustedActionsOwner(nwo.substring(0, nwo.indexOf("/")))
 }
 
-from UsesStep uses, string repo, string version, Workflow workflow, string name
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
 where
-  uses.getCallee() = repo and
+  uses.getCallee() = nwo and
   uses.getEnclosingWorkflow() = workflow and
   (
     workflow.getName() = name
     or
     not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
   ) and
   uses.getVersion() = version and
-  not isTrustedOrg(repo) and
+  not isTrustedOwner(nwo) and
   not isPinnedCommit(version) and
-  not isImmutableAction(uses, repo)
+  not isImmutableAction(uses, nwo)
 select uses.getCalleeNode(),
-  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
+  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
     "', not a pinned commit hash", uses, uses.toString()