fix: #2831

Changes documentation message per discussion in ticket Signed-off-by: Lucas Gonze <[email protected]>
ossf · Sep 18, 2023 · db7b137 · db7b137
1 parent 4a0e3ff
commit db7b137
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/docs/checks.md b/docs/checks.md
@@ -287,6 +287,7 @@ secrets. With the PR checkout, PR authors may compromise the repository, for
 example, by using build scripts controlled by the author of the PR or reading
 token in memory. This check does not detect whether untrusted code checkouts are
 used safely, for example, only on pull request that have been assigned a label.
+See [Keeping your GitHub Actions and workflows secure Part 1](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 
 Script Injection with Untrusted Context Variables: This pattern detects whether a
 workflow's inline script may execute untrusted input from attackers. This occurs when

diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -746,6 +746,7 @@ checks:
       example, by using build scripts controlled by the author of the PR or reading
       token in memory. This check does not detect whether untrusted code checkouts are
       used safely, for example, only on pull request that have been assigned a label.
+      See [Keeping your GitHub Actions and workflows secure Part 1](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 
       Script Injection with Untrusted Context Variables: This pattern detects whether a
       workflow's inline script may execute untrusted input from attackers. This occurs when