The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.

Description

This policy checks if GitHub Actions workflow_dispatch inputs are empty, ensuring that the build output cannot be affected by user parameters other than the build entry point and the top-level source location. This is important because allowing user-controlled inputs can introduce security risks, such as code injection or unauthorized data access. By keeping workflow_dispatch inputs empty, developers can prevent potential vulnerabilities and maintain the integrity of their GitHub Actions workflows.

Code Example

yml

on:
  workflow_dispatch:
    # Remove any inputs from this section

Remediation

Remove any inputs from the workflow_dispatch section in the GitHub Actions workflow file.

Rule Details

Field	Value
ID	IAC-1030
Severity	MEDIUM
IaC Type	github_actions
Frameworks	on
Checkov ID	CKV_GHA_7

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.

Description

Code Example

Remediation

Rule Details

References