policy name: actions_can_approve_pull_requests
severity: HIGH
The default GitHub Actions configuration allows for workflows to approve pull requests. This could allow users to bypass code-review restrictions.
Attackers can exploit this misconfiguration to bypass code-review restrictions by creating a workflow that approves their own pull request and then merging the pull request without anyone noticing, introducing malicious code that would go straight ahead to production.
- Make sure you have admin permissions
- Go to the org's settings page
- Enter "Actions - General" tab
- Under 'Workflow permissions'
- Uncheck 'Allow GitHub actions to create and approve pull requests.
- Click 'Save'