GCP GitHub Actions OIDC trust policy is insecurely configured

Description

This policy detects whether GCP GitHub Actions OIDC trust policies are insecurely configured, potentially allowing security vulnerabilities. Misconfigured policies can allow unauthorized access or introduce potential exploits via wildcards, abusable claims, or improperly formatted repository claims.

Code Example

resource "google_iam_workload_identity_pool_provider" "example" {
  ...
  issuer_uri = "https://token.actions.githubusercontent.com"
  attribute_mapping = {
    "google.subject" = "assertion.sub"
  }
-  attribute_condition = "assertion.sub == 'repo:*'"
+  attribute_condition = "assertion.sub == 'repo:organization/repository'"
}

Remediation

Terraform

Resource: google_iam_workload_identity_pool_provider
Arguments: role

To mitigate this issue, make sure your `google_iam_workload_identity_pool_provider` resource is properly configured without insecure claims.

Avoid wildcards (`*`) or unsafe claim structures.
Ensure claims follow safe and restricted formats. Abusable claims include: "workflow", "environment", "ref", "context", "head_ref", "base_ref"
Use a specific repository reference.

Example:

Rule Details

Field	Value
ID	IAC-0983
Severity	HIGH
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_GCP_125

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

GCP GitHub Actions OIDC trust policy is insecurely configured

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

GCP GitHub Actions OIDC trust policy is insecurely configured ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

GCP GitHub Actions OIDC trust policy is insecurely configured

Description

Code Example

Remediation

Rule Details

References