> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Checkout persists credentials under a privileged trigger

> actions/checkout under pull_request_target / workflow_run without persist-credentials: false leaves the job token in .git/config.

| Field    | Value                                                                                                                                                          |
| -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-1`                                                                                                                                                   |
| Rule ID  | `cicd-sec-1-checkout-persist-credentials`                                                                                                                      |
| Severity | **MEDIUM**                                                                                                                                                     |
| OWASP    | [CICD-SEC-1: Insufficient Flow Control Mechanisms](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-01-Insufficient-Flow-Control-Mechanisms) |
| Auto-fix | ✓                                                                                                                                                              |

## What the check does

Fires only on workflows triggered by `pull_request_target` or `workflow_run`. Within those, it flags any `actions/checkout` step that does not set `with: persist-credentials: false`.

By default `actions/checkout` writes the job's token into `.git/config` so later `git` commands can authenticate. Under a privileged trigger that token is the powerful base-context token.

## Why it matters

`pull_request_target` and `workflow_run` run with repository secrets and (often) a writable token. If checkout leaves that token in `.git/config` and a later step runs untrusted code — a build script from the PR, a third-party action, a `make` target — that code can read the token straight out of the workspace and use it, even if the workflow never passes the token explicitly.

Setting `persist-credentials: false` removes the token from the workspace after checkout, closing that path.

## Vulnerable example

```yaml theme={null}
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4   # token persists in .git/config
      - run: make build             # untrusted target can read it
```

## Safe alternative

```yaml theme={null}
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - run: make build
```

## Auto-fix

Pipefort's `--fix` adds `persist-credentials: false` to the checkout step's `with:` block (creating the block if needed).
