recommend to add octokit to trusted orgs

KyFaSt · KyFaSt · commit 325727ed6dc6 · 2024-10-17T15:59:45.000-04:00
diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f
 
 bindingset[repo]
 private predicate isTrustedOrg(string repo) {
-  exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%"))
+  exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%"))
 }
 
 from UsesStep uses, string repo, string version, Workflow workflow, string name

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f`
`18`	`18`
`19`	`19`	`bindingset[repo]`
`20`	`20`	`private predicate isTrustedOrg(string repo) {`
`21`		`- exists(string org \| org in ["actions", "github", "advanced-security"] \| repo.matches(org + "/%"))`
	`21`	`+ exists(string org \| org in ["actions", "github", "advanced-security", "octokit"] \| repo.matches(org + "/%"))`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`from UsesStep uses, string repo, string version, Workflow workflow, string name`