GitHub Actions Supply Chain Alert: Secret Exfiltration Patterns Detected in CI Workflows

A critical security finding has flagged multiple GitHub Actions workflows for harboring patterns consistent with credential exfiltration — the most common objective in CI/CD supply-chain attacks. The vulnerability, tracked as Rule RGS-012, was identified across two workflows: docs-noob-tester and visual-regression-checker.

The core issue lies in `run:` blocks containing outbound HTTP request commands such as `curl` and `wget` that target non-GitHub domains. In job contexts with access to secrets or publishing capabilities, these external requests represent a high-confidence indicator of potential secret exfiltration. Attackers who achieve code execution in a CI runner — through expression injection, fork checkout, or a compromised action — can leverage these outbound connections to transmit stolen credentials to attacker-controlled infrastructure.

The finding raises significant concerns for organizations with workflows triggered by untrusted events, such as pull requests from external contributors. The combination of external HTTP requests with secrets access creates exposure where threat actors can test exploitation pathways without direct repository access. Security teams should audit their CI/CD pipelines for similar outbound request patterns, restrict network egress from runners, and review the principle of least privilege in workflow permissions to limit blast radius if exploitation occurs.