Hi —
Automated security scan flagged a pull_request_target workflow in your repo that checks out the PR's head SHA / ref. This is the pattern of the classic GitHub Actions RCE — but whether it's actually exploitable depends on your guards (label gates, approved-ci checks, head-vs-base ownership checks, etc).
I'm not claiming we verified exploitability — we verified the pattern exists. Please review your workflow's guards and confirm. If they're sufficient, this is a non-issue and you can close.
If you'd like the exact workflow file + line we flagged, reply here or email Raffa@Lictor-AI.com.
— Raffa
Lictor AI · https://lictorai.com
Hi —
Automated security scan flagged a
pull_request_targetworkflow in your repo that checks out the PR's head SHA / ref. This is the pattern of the classic GitHub Actions RCE — but whether it's actually exploitable depends on your guards (label gates, approved-ci checks, head-vs-base ownership checks, etc).I'm not claiming we verified exploitability — we verified the pattern exists. Please review your workflow's guards and confirm. If they're sufficient, this is a non-issue and you can close.
If you'd like the exact workflow file + line we flagged, reply here or email Raffa@Lictor-AI.com.
— Raffa
Lictor AI · https://lictorai.com