[oblt-aw][security] SEC-022 — findings (2026-05-09)

[elastic-vault-github-plugin-prod]

Security findings (SEC-022)

Analysis date: 2026-05-09
Occurrences: 4

Details

1. .github/workflows/oblt-aw-ingress.yml — line 42 — medium — zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

2. .github/workflows/oblt-aw-ingress.yml — line 105 — medium — zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

3. .github/workflows/oblt-aw-ingress.yml — line 139 — medium — zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

4. .github/workflows/oblt-aw-ingress.yml — line 176 — medium — zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

---

Generated by oblt-aw security detector. Rules: security-scanning-ruleset (SEC-001–SEC-044, aligned with observability-robots#3758).

[github-actions]

tl;dr: SEC-022 is actionable and maps to secret over-scoping (secrets: inherit) in security-fixer call paths; classify as oblt-aw/triage/security-secrets and proceed with a scoped-secret remediation plan.

Recommendation

Treat this as a confirmed security-secrets finding. The strongest in-repo evidence is broad secret inheritance in reusable-workflow calls where only a specific secret is required; replace secrets: inherit with explicit secret mapping for the affected security-fixer path first.

Findings

1. Rule definition and detector mapping are consistent with this issue title.

   • docs/workflows/security-scanning-ruleset.md:145-152 defines SEC-022 as improper secret/token scoping (broader blast radius).
   • scripts/security-scan.sh:114-115 maps zizmor overprovisioned-secrets and secrets-inherit directly to SEC-022.
   • scripts/create-security-issues.sh:49 generates issue titles as [oblt-aw][security] \$\{rule} — findings (\$\{scan_date}), matching #829 format.

2. Concrete vulnerable pattern exists in current workflows.

   • .github/workflows/oblt-aw-ingress.yml:176-179

     uses: ./.github/workflows/gh-aw-security-fixer.yml
     with:
       allowed-bot-users: $\{\{ needs['load-allowed-authors'].outputs['allowed_issue_authors_csv'] }}
     secrets: inherit

   • .github/workflows/gh-aw-security-fixer.yml:9-11,62

     workflow_call:
       secrets:
         COPILOT_GITHUB_TOKEN:
           required: true
     ...
     secrets: inherit

   This passes all caller secrets to downstream reusable workflows despite a specific required secret contract.

3. Cross-reference evidence from run metadata.

   • Workflow run 25594683120 has display_title: [oblt-aw][security] SEC-022 — findings (2026-05-09) and references the security detector/triage chain.

4. Limitation encountered (does not block classification).

   • Direct API reads for issue body/comments and issue search were integrity-filtered in this environment, so this triage is based on verified repo/rule/run evidence.

Verification

I ran a repository grep for secrets: inherit in workflow entrypoints/templates:

$ git --no-pager grep -n "secrets: inherit" -- .github/workflows .github/remote-workflow-template
.github/workflows/gh-aw-agent-suggestions.yml:34:    secrets: inherit
.github/workflows/gh-aw-autodoc.yml:46:    secrets: inherit
.github/workflows/gh-aw-autodoc.yml:82:    secrets: inherit
.github/workflows/gh-aw-issue-fixer.yml:59:    secrets: inherit
.github/workflows/gh-aw-resource-not-accessible-by-integration-detector.yml:82:    secrets: inherit
.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.yml:61:    secrets: inherit
.github/workflows/gh-aw-security-fixer.yml:62:    secrets: inherit
.github/workflows/oblt-aw-ingress.yml:43:    secrets: inherit
.github/workflows/oblt-aw-ingress.yml:106:    secrets: inherit
.github/workflows/oblt-aw-ingress.yml:142:    secrets: inherit
.github/workflows/oblt-aw-ingress.yml:179:    secrets: inherit

Workflow run jobs summary for 25594683120 confirms security triage path execution (agent step in progress at sampling time):

run-aw / security-triage / security-issue-triage / pre_activation  completed success
run-aw / security-triage / security-issue-triage / activation      completed success
run-aw / security-triage / security-issue-triage / agent           in_progress

Detailed Action Plan

Resolution Plan

Root Cause

• Vulnerable location: reusable workflow invocations using secrets: inherit in security-fixer call chain:
  • .github/workflows/oblt-aw-ingress.yml:176-179
  • .github/workflows/gh-aw-security-fixer.yml:62
• Why vulnerable: secrets: inherit broadens secret exposure to jobs/steps beyond minimal necessity, aligning with SEC-022 improper secret scoping semantics.
• Pattern: over-broad secret passing / secrets-inherit.

Risk Assessment

• Severity: Medium (aligned with docs/workflows/security-scanning-ruleset.md:147).
• Impact: unnecessary secret/token exposure surface across called workflows; increased blast radius if any downstream step is compromised.
• Affected workflows/scripts: oblt-aw-ingress.yml, gh-aw-security-fixer.yml (and potentially other reusable workflow call sites using secrets: inherit).

Remediation Steps

1. Replace secrets: inherit with explicit secret mapping in security-fixer path first:
   • In .github/workflows/oblt-aw-ingress.yml security-fixer job, pass only COPILOT_GITHUB_TOKEN (and any strictly required additional secret if proven necessary).
2. In .github/workflows/gh-aw-security-fixer.yml, ensure downstream uses: elastic/ai-github-actions/.../gh-aw-issue-fixer.lock.yml@main receives only explicit secrets needed by that contract.
3. Audit other secrets: inherit call sites from grep output and convert to explicit mappings where feasible.
4. Keep permissions least-privilege at workflow/job level while making secret scope narrower.
5. Update docs to codify “no secrets: inherit for security-sensitive reusable workflows unless explicitly justified”.

Before / After Examples

Before (vulnerable):

# .github/workflows/oblt-aw-ingress.yml
security-fixer:
  uses: ./.github/workflows/gh-aw-security-fixer.yml
  with:
    allowed-bot-users: $\{\{ needs['load-allowed-authors'].outputs['allowed_issue_authors_csv'] }}
  secrets: inherit

After (remediated):

# .github/workflows/oblt-aw-ingress.yml
security-fixer:
  uses: ./.github/workflows/gh-aw-security-fixer.yml
  with:
    allowed-bot-users: $\{\{ needs['load-allowed-authors'].outputs['allowed_issue_authors_csv'] }}
  secrets:
    COPILOT_GITHUB_TOKEN: $\{\{ secrets.COPILOT_GITHUB_TOKEN }}

Success Criteria

• No secrets: inherit in security-fixer secret path without explicit justification.
• Only required secrets are passed to each reusable workflow.
• Permissions remain minimized per job.
• Security detector no longer emits SEC-022 for remediated paths.
• Security workflow docs include secret-scoping guidance.

Additional Resources

• GitHub Actions Security Hardening
• Workflow Permission Syntax

Related Items

Type	Link / Reference	Relevance
Issue	#829	Current SEC-022 triage target
Workflow run	25594683120	Run metadata confirms SEC-022 detector/triage path context
File	.github/workflows/oblt-aw-ingress.yml:176-179	Security-fixer invocation with secrets: inherit
File	.github/workflows/gh-aw-security-fixer.yml:9-11,62	Declares specific secret but uses broad inherit downstream
File	scripts/security-scan.sh:114-115	Detector mapping secrets-inherit/overprovisioned-secrets → SEC-022
File	docs/workflows/security-scanning-ruleset.md:145-152	SEC-022 definition and scope
Limitation	Issue/comment search APIs integrity-filtered in this run	Prevented direct duplicate/body correlation

Note

🔒 Integrity filter blocked 14 items

The following items were blocked because they don't meet the GitHub integrity level.

• [oblt-aw][security] SEC-022 — findings (2026-05-09) #829 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #829 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #829 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #819 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #811 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #800 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #789 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #777 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #768 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #761 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #750 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #738 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #142 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #727 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

tl;dr: I implemented a direct SEC-022 remediation by removing all secrets: inherit usage in the affected reusable-workflow chain and replacing it with explicit COPILOT_GITHUB_TOKEN pass-through, plus the required workflow_call secret declarations.

Recommendation

Keep explicit secret mapping for all reusable workflow calls and avoid secrets: inherit in this repo’s workflow-call chain. This is the least-privilege fix for SEC-022 and prevents over-broad secret propagation.

Findings

Code-level findings (with evidence)

The repo had secrets: inherit in reusable workflow calls that can trigger SEC-022 (secrets-inherit / overprovisioned secret scope). I updated these locations:

• .github/workflows/gh-aw-issue-fixer.yml (L3-L6, L62-L63)
• .github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.yml (L3-L11, L64-L65)
• .github/workflows/gh-aw-autodoc.yml (L46-L47, L83-L84)
• .github/workflows/gh-aw-agent-suggestions.yml (L34-L35)
• .github/workflows/gh-aw-security-fixer.yml (L62-L63)
• .github/workflows/gh-aw-resource-not-accessible-by-integration-detector.yml (L82-L83)
• .github/workflows/oblt-aw-ingress.yml (L43-L44, L107-L108, L144-L145, L182-L183)

All secrets: inherit entries under .github/workflows/**/*.yml are now removed.

Verification

Commands and output

rg "secrets:\s*inherit" .github/workflows/**/*.yml

No matches found.

npm ci && npm test

added 5 packages, and audited 6 packages in 684ms

> oblt-aw-automerge-tests@1.0.0 test
> tsx --test tests/unit/*.test.ts

✔ ...
i pass 6
i fail 0

python3 -m venv /tmp/gh-aw/agent/pytest-venv && . /tmp/gh-aw/agent/pytest-venv/bin/activate && pytest tests/

collected 89 items
...
89 passed in 0.16s

Detailed Action Plan

Implemented plan (completed)

1. Replace every secrets: inherit in reusable workflow calls with explicit COPILOT_GITHUB_TOKEN mapping.
2. Add on.workflow_call.secrets.COPILOT_GITHUB_TOKEN to workflows that now require explicit pass-through from caller.
3. Keep permission scopes unchanged in this fix (scope is SEC-022 secret propagation, not SEC-040 permission minimization).
4. Validate no residual inherit-based secret propagation and run repo tests.
5. Open a draft PR linked to this issue.

Related Items

Type	Item
Issue	#829
Files changed	.github/workflows/gh-aw-agent-suggestions.yml, .github/workflows/gh-aw-autodoc.yml, .github/workflows/gh-aw-issue-fixer.yml, .github/workflows/gh-aw-resource-not-accessible-by-integration-detector.yml, .github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.yml, .github/workflows/gh-aw-security-fixer.yml, .github/workflows/oblt-aw-ingress.yml
Rule reference	docs/workflows/security-scanning-ruleset.md (SEC-022)

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• #829 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-022 — findings (2026-05-09) #829 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #829 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.