Goal: Quickly locate GitHub Actions workflow exposures / misconfigs inside a specific Bug Bounty program org (GitHub search, code search, and dorks).
Assume target org: ORG_NAME.
org:ORG_NAME path:.github/workflows language:YAML
(("run:" OR "run: |") AND "${{ github.event") path:.github/workflows language:YAML (org:bazelbuild OR org:angular OR org:golang OR org:protocolbuffers OR org:tink-crypto OR org:google OR org:flutter OR org:openthread OR org:GoogleContainerTools) NOT is:archived
("github.event.pull_request" OR "github.event.issue" OR "github.event.comment") path:.github/workflows language:YAML (org:bazelbuild OR org:angular OR org:golang OR org:protocolbuffers OR org:tink-crypto OR org:google OR org:flutter OR org:openthread OR org:GoogleContainerTools) NOT is:archived
org:ORG_NAME path:.github/workflows ("echo ${{ secrets." OR "echo \"${{ secrets.")
org:ORG_NAME path:.github/workflows ("set-output" AND "secrets")
Search workflows triggered by PR from forks.
org:ORG_NAME path:.github/workflows "pull_request_target"
Combine with shell execution:
org:ORG_NAME path:.github/workflows "pull_request_target" "run:"
org:ORG_NAME path:.github/workflows "actions/checkout" "pull_request_target"
More precise:
org:ORG_NAME path:.github/workflows "ref: ${{ github.event.pull_request.head.sha }}"
org:ORG_NAME path:.github/workflows "github.event.pull_request"
org:ORG_NAME path:.github/workflows "github.event.issue"
org:ORG_NAME path:.github/workflows "github.event.comment"
Search for unsafe variable interpolation in shell.
org:ORG_NAME path:.github/workflows "run:" "${{ github.event"
org:ORG_NAME path:.github/workflows "run: |" "${{ github."
Regex idea (ripgrep / local):
run:.*\${{\s*github\.event\..*}}
org:ORG_NAME path:.github/workflows "self-hosted"
Combined with PR:
org:ORG_NAME path:.github/workflows "self-hosted" "pull_request"
org:ORG_NAME path:.github/workflows "permissions:"
Look for:
permissions: write-all
permissions: contents: write
Search directly:
org:ORG_NAME path:.github/workflows "write-all"
org:ORG_NAME path:.github/workflows "workflow_dispatch"
Combined with secrets usage:
org:ORG_NAME path:.github/workflows "workflow_dispatch" "secrets"
org:ORG_NAME path:.github/workflows "uses:"
Unpinned actions:
org:ORG_NAME path:.github/workflows "uses:" "@master"
org:ORG_NAME path:.github/workflows "uses:" "@main"
org:ORG_NAME path:.github/workflows "upload-artifact"
org:ORG_NAME path:.github/workflows "download-artifact"
org:ORG_NAME path:.github/workflows "actions/cache"
org:ORG_NAME path:.github/workflows "env:"
Combined:
org:ORG_NAME path:.github/workflows "env:" "github.event"
If you clone org repos and scan:
pull_request_target
github\.event\.
secrets\.
self-hosted
workflow_dispatch
permissions:\s*write
uses:.*@(main|master)
run:.*\${{.*github\.eventBest GitHub dork I use for bounty:
org:ORG_NAME path:.github/workflows ("pull_request_target" OR "self-hosted" OR "workflow_dispatch" OR "github.event")
path:.github/workflows "pull_request_target" "run:"
path:.github/workflows "github.event.pull_request.title" "run:"
GitHub CLI:
gh search code 'org:ORG_NAME path:.github/workflows pull_request_target'Mass scanning:
gh search code 'path:.github/workflows "github.event"' --limit 500language:YAML path:/^\.github\/workflows\// (org:google OR org:googleapis OR org:googlecloudplatform)
("github.event.issue.title" OR "github.event.issue.body" OR "github.event.pull_request.title" OR "github.event.pull_request.body") language:YAML path:/^\.github\/workflows\// (org:facebookincubator OR org:facebook)
("github.event." OR "github.head_ref") AND "run:" language:YAML path:/^\.github\/workflows\// (org:facebookincubator OR org:facebook)
("github.event." OR "github.head_ref") AND "run:" language:YAML path:/^\.github\/workflows\// (org:amzn OR org:aws)
("github.event.issue.title" OR "github.event.issue.body" OR "github.event.pull_request.title" OR "github.event.pull_request.body" OR "github.event.comment.body") language:YAML path:/^\.github\/workflows\//