Skip to content

feat(workflow): complete wave-f detector set#32

Merged
jonathansantilli merged 6 commits intomainfrom
codex/wave-f-foundation-phase-f1
Mar 23, 2026
Merged

feat(workflow): complete wave-f detector set#32
jonathansantilli merged 6 commits intomainfrom
codex/wave-f-foundation-phase-f1

Conversation

@jonathansantilli
Copy link
Copy Markdown
Owner

@jonathansantilli jonathansantilli commented Mar 23, 2026
edited
Loading

Summary

  • completes Wave F detector implementation with four additional audits:
    • workflow-oidc-untrusted-context
    • workflow-dynamic-matrix-injection
    • dependabot-auto-merge
    • workflow-local-action-mutation
  • wires all new audits into the static engine workflow-audit pipeline
  • adds detector-level tests for each new audit
  • extends Wave F engine integration coverage to assert all new rule IDs are surfaced
  • updates parity documentation and contract tests so Wave F is fully checked

What This Adds

  • OIDC risk detection for untrusted-trigger jobs minting tokens without strict trust boundaries and audience constraints
  • dynamic matrix injection detection when strategy.matrix is sourced from attacker-controlled event payloads and then used in shell execution
  • Dependabot auto-merge confused-deputy detection for weak actor-only bot gating on privileged triggers
  • local action mutation detection for uses: ./... execution paths reachable from untrusted events, with privilege-aware severity

Verification

  • npm run typecheck
  • npm run lint -- src/layer2-static/detectors/workflow-oidc-untrusted-context.ts src/layer2-static/detectors/workflow-dynamic-matrix-injection.ts src/layer2-static/detectors/dependabot-auto-merge.ts src/layer2-static/detectors/workflow-local-action-mutation.ts src/layer2-static/engine.ts tests/layer2/workflow-oidc-untrusted-context.test.ts tests/layer2/workflow-dynamic-matrix-injection.test.ts tests/layer2/dependabot-auto-merge.test.ts tests/layer2/workflow-local-action-mutation.test.ts tests/layer2/workflow-wave-f-engine.test.ts tests/meta/workflow-audit-parity-contract.test.ts
  • npm test -- tests/layer2/workflow-oidc-untrusted-context.test.ts tests/layer2/workflow-dynamic-matrix-injection.test.ts tests/layer2/dependabot-auto-merge.test.ts tests/layer2/workflow-local-action-mutation.test.ts tests/layer2/workflow-wave-f-engine.test.ts tests/meta/workflow-audit-parity-contract.test.ts
  • npm test -- tests/layer2/workflow-*.test.ts tests/layer2/dependabot-*.test.ts tests/meta/workflow-audit-parity-contract.test.ts

@jonathansantilli jonathansantilli changed the title feat(workflow): add wave-f foundations and pr-target checkout detector feat(workflow): complete wave-f detector set Mar 23, 2026
@jonathansantilli jonathansantilli merged commit e77dedd into main Mar 23, 2026
16 checks passed
@jonathansantilli jonathansantilli deleted the codex/wave-f-foundation-phase-f1 branch March 23, 2026 15:14
jonathansantilli added a commit that referenced this pull request Mar 24, 2026
@jonathansantilli
Merge pull request #32 from jonathansantilli/codex/wave-f-foundation-…
53a7e7b 
…phase-f1

feat(workflow): complete wave-f detector set
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonathansantilli