GA-C010: Self-hosted runner
Info Security
Why This Matters
Self-hosted runners persist state between jobs, lack network isolation, and may expose credentials or sensitive data to untrusted code. When used with `pull_request_target` or fork PRs, an attacker can execute arbitrary code on your infrastructure. Ensure self-hosted runners follow security hardening guidelines: ephemeral runners, network segmentation, and minimal installed tooling.
How to Fix
Consider using GitHub-hosted runners or ensure self-hosted runners follow security hardening guidelines
Before (incorrect)
runs-on: self-hostedAfter (correct)
runs-on: ubuntu-latestRule Details
- Rule Code
- GA-C010
- Severity
- Info
- Category
- Security