Actions: Add four experimental queries

[JamieMagee]

Four new experimental queries that catch GitHub Actions issues Zizmor flags but CodeQL currently misses. All are structural pattern-matching (@kind problem), no dataflow.

actions/secrets-inherit (CWE-200): secrets: inherit on reusable workflow calls forwards every org and repo secret to the callee. Almost nobody actually needs that; the fix is listing the specific secrets the workflow uses.

actions/hardcoded-container-credentials (CWE-798): Literal passwords in container.credentials.password or services.*.credentials.password. Checks that the value isn't a ${{ }} expression.

actions/unsound-contains (CWE-183): contains('refs/heads/main refs/heads/develop', github.ref) looks like a membership check but is actually a substring match. A branch named mai would pass. The fix is contains(fromJSON('["refs/heads/main", "refs/heads/develop"]'), github.ref).

actions/spoofable-actor-check (CWE-290): github.actor == 'dependabot[bot]' as a security gate on pull_request_target. github.actor is the last actor to touch the context, not the one who opened the PR, so an attacker can spoof it. The existing ActorIfCheck in ControlChecks.qll already excludes [bot] patterns from being treated as security guards, which confirms the framework considers these checks insufficient.

Each query has an .md help file and test fixtures with both positive and negative cases.

[Copilot]

Pull request overview

Adds four new experimental GitHub Actions security queries (structural @kind problem) to catch common workflow misconfigurations that can lead to secret exposure or bypassable security controls.

Changes:

• Added 4 experimental Actions security queries: actions/secrets-inherit, actions/hardcoded-container-credentials, actions/unsound-contains, and actions/spoofable-actor-check.
• Added per-query help (.md) documentation.
• Added query-tests with positive/negative workflow fixtures and .expected results.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
actions/ql/src/experimental/Security/CWE-200/SecretsInherit.ql	New query flagging secrets: inherit on reusable workflow calls.
actions/ql/src/experimental/Security/CWE-200/SecretsInherit.md	Help text for actions/secrets-inherit.
actions/ql/test/query-tests/Security/CWE-200/SecretsInherit.qlref	Test registration for SecretsInherit.
actions/ql/test/query-tests/Security/CWE-200/SecretsInherit.expected	Expected results for SecretsInherit tests.
actions/ql/test/query-tests/Security/CWE-200/.github/workflows/secrets-inherit.yml	Positive/negative workflow fixtures for SecretsInherit.
actions/ql/src/experimental/Security/CWE-798/HardcodedContainerCredentials.ql	New query flagging hardcoded container/service credential passwords.
actions/ql/src/experimental/Security/CWE-798/HardcodedContainerCredentials.md	Help text for actions/hardcoded-container-credentials.
actions/ql/test/query-tests/Security/CWE-798/HardcodedContainerCredentials.qlref	Test registration for HardcodedContainerCredentials.
actions/ql/test/query-tests/Security/CWE-798/HardcodedContainerCredentials.expected	Expected results for HardcodedContainerCredentials tests.
actions/ql/test/query-tests/Security/CWE-798/.github/workflows/hardcoded-credentials.yml	Positive/negative workflow fixtures for hardcoded container/service credentials.
actions/ql/src/experimental/Security/CWE-183/UnsoundContains.ql	New query flagging substring-based contains() membership checks using string literals.
actions/ql/src/experimental/Security/CWE-183/UnsoundContains.md	Help text for actions/unsound-contains.
actions/ql/test/query-tests/Security/CWE-183/UnsoundContains.qlref	Test registration for UnsoundContains.
actions/ql/test/query-tests/Security/CWE-183/UnsoundContains.expected	Expected results for UnsoundContains tests.
actions/ql/test/query-tests/Security/CWE-183/.github/workflows/unsound-contains.yml	Positive/negative workflow fixtures for unsound contains() usage.
actions/ql/src/experimental/Security/CWE-290/SpoofableActorCheck.ql	New query flagging bot-name checks against spoofable actor contexts on externally triggerable events.
actions/ql/src/experimental/Security/CWE-290/SpoofableActorCheck.md	Help text for actions/spoofable-actor-check.
actions/ql/test/query-tests/Security/CWE-290/SpoofableActorCheck.qlref	Test registration for SpoofableActorCheck.
actions/ql/test/query-tests/Security/CWE-290/SpoofableActorCheck.expected	Expected results for SpoofableActorCheck tests.
actions/ql/test/query-tests/Security/CWE-290/.github/workflows/bot-conditions.yml	Positive/negative workflow fixtures for spoofable actor checks.

Comments suppressed due to low confidence (1)

actions/ql/src/experimental/Security/CWE-183/UnsoundContains.md:37

• This second fromJSON() example also escapes the JSON quotes (it includes backslashes before the quotes). Please remove the backslashes so the JSON is written with normal double-quotes for copy/paste correctness.

```yaml
steps:
  - run: terraform apply
    if: contains(fromJSON('["refs/heads/main", "refs/heads/develop"]'), github.ref)

</details>

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated no new comments.

[intrigus-lgtm]

secrets: inherit on reusable workflow calls forwards every org and repo secret to the callee. Almost nobody actually needs that; the fix is listing the specific secrets the workflow uses. [emphasis mine]

Is this actually true? If so, do you have a source for that? As far as I'm aware, only secrets to which the caller workflow already has access are getting inherited.

Fun fact, the GitHub blog explicitly lists secrets: inherit as an improvement: https://github.blog/changelog/2022-05-03-github-actions-simplify-using-secrets-with-reusable-workflows/