Add in custom semgrep check

billnapier · billnapier · commit 071e4e0fe713 · 2025-02-24T20:40:29.000Z
diff --git a/semgrep-rules/actions/pull_request_target_needs_exception.yml b/semgrep-rules/actions/pull_request_target_needs_exception.yml
@@ -0,0 +1,15 @@
+rules:
+  - id: pull-request-target-needs-exception
+    languages:
+      - yaml
+    severity: ERROR
+    message: pull_request_target is considered very risky and should only be used when striclty needed.  Please prefer other triggers when possible.
+    metadata:
+      category: best-practice
+      technology:
+        - github-actions      
+    patterns:
+      - pattern-either:
+          - patterns:
+              - pattern-inside: "{on: ...}"
+              - pattern: pull_request_target
