Description

Automated Code Commits with Privileged Token

Overview

We have recently conducted a security scan of our GitHub repositories to ensure our CI/CD pipelines are secure. We identified misconfigurations in GitHub Actions workflows (e.g., injection risks, unpinned actions).

File: .github/workflows/format.yml

Description

The workflow automatically runs npm install, modifies code, and pushes directly to a branch using a privileged token (ADYEN_AUTOMATION_BOT_ACCESS_TOKEN). A compromised dependency could exploit this to push malicious code to the repository. Additionally, actions/setup-node is not pinned to a commit hash.

Remediation

Pin all actions to a specific commit hash. Instead of pushing directly, modify the workflow to create a pull request that requires human review. Use npm ci with a checked-in package-lock.json instead of npm install to ensure dependency integrity.