sentinel-ci 1.3.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 23aa715c0e322cb64a295126e1c7ea6d799b5e2160b1f9afb6781c70d6d67e74
-  data.tar.gz: 4dcef6fdb0ce75cc6df95b875c184bb2eac4664cfaa3cc08c887cba17b01544b
+  metadata.gz: '070770478121626be95f0c860bbd83958d3c5e713574330d607e604f8e0dc374'
+  data.tar.gz: d2269120be9f63c470c8543cb1082584194318f3e5e90d8a1b26cf5c80fd55ba
 SHA512:
-  metadata.gz: a73ae7c6c62199f997171d442a4f34b5f8ba01d57606e9b4a95be3841a9b4939860dfeb4f240c6f3e1aa766d8416dc13a9b40aaeef8cd09cad96db3770caf5a2
-  data.tar.gz: 7db22bcd42d182031dbb1d2adfa9da5e6073d9655ac58900065afd37be674bc4d477ba9ab775756c067569b0f02ec1a6d7730dfd81f0a87298d49cea796315cb
+  metadata.gz: 2955311417f590f00a66cf7ec9e0f8fbea4d71213f626dd1fcd854fe7242d7635ab330cd2939cecdacb089d3427d90791b4c18a40b99ade980b780f7f906a2a5
+  data.tar.gz: f6d57dda77bf75cc0f77d826ece255ae16efcb26c39eea5a3c2503e89c6577aadf7b666687638ab2122f2366ccbbf314a74875f16ec6a88f014685b301ec88a1

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.3.1 (2026-05-22)
+
+### Bug Fixes
+- Fix warn-only mode: read `INPUT_FAIL-ON-FINDINGS` env var (GitHub Actions passes docker action inputs with hyphens preserved, not converted to underscores)
+
 ## 1.3.0 (2026-05-18)
 
 ### New Features

data/lib/auto_fix.rb

@@ -26,8 +26,6 @@ module AutoFix
         "github.event.discussion.body"         => "DISCUSSION_BODY",
         "github.event.workflow_run.head_branch" => "WORKFLOW_HEAD_BRANCH",
         "github.head_ref"                      => "HEAD_REF",
-        "github.actor"                         => "GH_ACTOR",
-        "github.triggering_actor"              => "TRIGGERING_ACTOR",
     }.freeze
 
     # Workflow dispatch input expressions
@@ -62,7 +60,7 @@ module AutoFix
         # Validate the result is still valid YAML
         if result && result != raw_content
             begin
-                YAML.safe_load(result)
+                YAML.safe_load(result, aliases: true)
             rescue YAML::SyntaxError => e
                 $stderr.puts "AutoFix: generated invalid YAML for #{finding.rule} in #{finding.file}: #{e.message}"
                 return raw_content  # fail safe — return original

data/lib/github_client.rb

@@ -59,7 +59,7 @@ class GitHubClient
         content ||= fetch_file_content(repo, ".github/dependabot.yaml")
         return nil unless content
         begin
-            YAML.safe_load(content)
+            YAML.safe_load(content, aliases: true)
         rescue StandardError => e
             nil
         end

data/lib/local_client.rb

@@ -25,7 +25,7 @@ class LocalClient
         path = File.join(@path, ".github", "dependabot.yaml") unless File.exist?(path)
         return nil unless File.exist?(path)
         begin
-            YAML.safe_load(File.read(path))
+            YAML.safe_load(File.read(path), aliases: true)
         rescue StandardError => e
             nil
         end

data/lib/platforms/bitbucket.rb

@@ -8,7 +8,7 @@ module Platforms
         def initialize(content, filename: "bitbucket-pipelines.yml")
             @content = content
             @filename = filename
-            @data = YAML.safe_load(content, permitted_classes: [Symbol]) || {}
+            @data = YAML.safe_load(content, aliases: true) || {}
             @lines = content.lines
         rescue YAML::SyntaxError
             @data = {}

data/lib/platforms/gitlab.rb

@@ -8,7 +8,7 @@ module Platforms
         def initialize(content, filename: ".gitlab-ci.yml")
             @content = content
             @filename = filename
-            @data = YAML.safe_load(content, permitted_classes: [Symbol]) || {}
+            @data = YAML.safe_load(content, aliases: true) || {}
             @lines = content.lines
         rescue YAML::SyntaxError
             @data = {}

data/lib/platforms/shared_patterns.rb

@@ -15,6 +15,7 @@ module Platforms
 
         PASSWORD_PATTERN = /password:\s*[^\s${\#]+/i
         SAFE_VALUE_PATTERN = /\$\{\{.*\}\}|\$[A-Z_]+|\$\{[A-Z_]+\}/
+        SAFE_PASSWORDS = %w[postgres password test example changeme admin root dummy placeholder true false].freeze
 
         def scan_for_hardcoded_secrets(lines, filename:, platform_fix:)
             findings = []
@@ -42,6 +43,7 @@ module Platforms
                 if line.match?(PASSWORD_PATTERN)
                     value = line[/password:\s*(.+)/i, 1]&.strip
                     if value && !value.match?(SAFE_VALUE_PATTERN) && !value.start_with?("#")
+                        next if SAFE_PASSWORDS.include?(value.strip.downcase)
                         findings << Finding.new(
                             rule: "hardcoded-secrets",
                             severity: :critical,

data/lib/policy.rb

@@ -54,7 +54,7 @@ class Policy
     private
 
     def load_config
-        raw = YAML.safe_load(File.read(@path))
+        raw = YAML.safe_load(File.read(@path), aliases: true)
         unless raw.is_a?(Hash)
             @errors << "#{@path}: expected a YAML mapping, got #{raw.class}"
             return

data/lib/rules/ai_config_injection.rb

@@ -0,0 +1,211 @@
+module Rules
+    class AiConfigInjection < Base
+        def name = "ai-config-injection"
+        def description = "AI tool runs on PR checkout code with attacker-controlled config"
+        def severity = :critical
+
+        PR_TRIGGERS = %w[pull_request pull_request_target].freeze
+
+        AI_TOOL_ACTION_PATTERNS = [
+            /\banthropics\/claude/i,
+            /\bgithub\/copilot/i,
+            /\baider[_-]ai\//i,
+            /\bcursor\//i,
+            /\bcline\//i,
+            /\bcontinue[_-]dev\//i,
+            /\bwindsurf\//i,
+            /\bcodex\//i,
+            /\bsweep[_-]ai\//i,
+            /\bdevin\//i,
+        ].freeze
+
+        AI_TOOL_COMMANDS = [
+            /\bclaude\b/,
+            /\baider\b/,
+            /\bcursor\s+(review|fix|chat|ask|compose|run)\b/,
+            /\bcopilot\b/,
+            /\bsgpt\b/,
+            /\bcline\b/,
+            /\bcontinue\s+(chat|review|fix|ask|suggest|generate|dev)\b/,
+            /\bwindsurf\b/,
+            /\bcodex\b/,
+            /\bdevin\b/,
+        ].freeze
+
+        SANITIZATION_DIRS = %w[
+            .claude/
+            .cursor/
+            .continue/
+            .github/copilot/
+        ].freeze
+
+        SANITIZATION_FILES = %w[
+            .mcp.json
+            CLAUDE.md
+            .cursorrules
+            .aider.conf.yml
+            .aiderignore
+            .copilot-instructions.md
+            .clinerules
+            .windsurfrules
+            .continue/config.json
+        ].freeze
+
+        SANITIZATION_PATHS = (SANITIZATION_DIRS + SANITIZATION_FILES).freeze
+
+        SANITIZATION_FIX = "Add a sanitization step after checkout: " \
+            "rm -rf .claude/ .cursor/ .continue/ .github/copilot/ && " \
+            "rm -f .mcp.json .cursorrules .aider.conf.yml .aiderignore " \
+            ".copilot-instructions.md CLAUDE.md .clinerules .windsurfrules " \
+            ".continue/config.json"
+
+        def check(workflow)
+            findings = []
+            triggers = workflow.triggers
+
+            pr_triggers = detect_pr_triggers(triggers)
+            return findings if pr_triggers.empty?
+
+            workflow.jobs.each do |_job_id, job|
+                pr_triggers.each do |pr_trigger|
+                    is_prt = (pr_trigger == "pull_request_target")
+                    pr_checkout_found = false
+                    sanitized = false
+
+                    workflow.steps(job).each do |step|
+                        if !pr_checkout_found && pr_code_checkout?(step, is_prt)
+                            pr_checkout_found = true
+                            sanitized = false
+                            next
+                        end
+
+                        next unless pr_checkout_found
+
+                        if sanitization_step?(step)
+                            sanitized = true
+                            next
+                        end
+
+                        if ai_tool_step?(step) && !sanitized && !isolated_working_dir?(step)
+                            tool_name = identify_ai_tool(step)
+                            sev = is_prt ? :critical : :high
+
+                            code = step["uses"] ? "uses: #{step["uses"]}" : step["run"]&.lines&.first&.strip
+                            line = if step["uses"]
+                                workflow.line_of(/uses:\s*#{Regexp.escape(step["uses"])}/) || 0
+                            elsif step["run"]
+                                first_line = step["run"].lines.first&.strip
+                                first_line ? (workflow.line_of(/#{Regexp.escape(first_line[0..40])}/) || 0) : 0
+                            else
+                                0
+                            end
+
+                            findings << Finding.new(
+                                rule: name,
+                                severity: sev,
+                                file: workflow.filename,
+                                line: line,
+                                code: code,
+                                message: "#{tool_name} runs on PR checkout code (#{pr_trigger} trigger) " \
+                                    "— attacker-controlled AI config files execute arbitrary code",
+                                fix: SANITIZATION_FIX
+                            )
+                        end
+                    end
+                end
+            end
+
+            findings
+        end
+
+        private
+
+        def detect_pr_triggers(triggers)
+            trigger_list = case triggers
+                when Hash then triggers.keys.map(&:to_s)
+                when Array then triggers.map(&:to_s)
+                when String then [triggers]
+                else []
+            end
+
+            PR_TRIGGERS.select { |t| trigger_list.include?(t) }
+        end
+
+        def pr_code_checkout?(step, is_prt)
+            return false unless step["uses"]&.include?("checkout")
+
+            with = step["with"] || {}
+            ref = with["ref"]&.to_s || ""
+
+            if is_prt
+                ref.match?(/\bgithub\.event\.pull_request\.head\b/) ||
+                    ref.match?(/\bgithub\.head_ref\b/)
+            else
+                ref.empty? ||
+                    ref.match?(/\bgithub\.event\.pull_request\.head\b/) ||
+                    ref.match?(/\bgithub\.head_ref\b/) ||
+                    ref.match?(/\bgithub\.ref\b/)
+            end
+        end
+
+        def ai_tool_step?(step)
+            ai_tool_action?(step["uses"]) || ai_tool_command?(step["run"])
+        end
+
+        def ai_tool_action?(uses)
+            return false unless uses
+            AI_TOOL_ACTION_PATTERNS.any? { |p| uses.match?(p) }
+        end
+
+        def ai_tool_command?(run)
+            return false unless run
+            AI_TOOL_COMMANDS.any? { |p| run.match?(p) }
+        end
+
+        def sanitization_step?(step)
+            run = step["run"]
+            return false unless run
+            return false unless run.match?(/\brm\b/)
+            SANITIZATION_PATHS.any? { |path| run.include?(path) }
+        end
+
+        def isolated_working_dir?(step)
+            wd = step["working-directory"] || step.dig("with", "working-directory")
+            return false unless wd
+            !wd.strip.empty? && wd.strip != "."
+        end
+
+        def identify_ai_tool(step)
+            if step["uses"]
+                case step["uses"]
+                when /claude/i then "Claude Code"
+                when /copilot/i then "GitHub Copilot"
+                when /aider/i then "Aider"
+                when /cursor/i then "Cursor"
+                when /cline/i then "Cline"
+                when /continue[_-]dev/i then "Continue"
+                when /windsurf/i then "Windsurf"
+                when /codex/i then "Codex"
+                when /devin/i then "Devin"
+                else "AI tool (#{step["uses"]})"
+                end
+            elsif step["run"]
+                case step["run"]
+                when /\bclaude\b/ then "Claude Code"
+                when /\bcopilot\b/ then "GitHub Copilot"
+                when /\baider\b/ then "Aider"
+                when /\bcursor\s+(review|fix|chat|ask|compose|run)\b/ then "Cursor"
+                when /\bsgpt\b/ then "Shell GPT"
+                when /\bcline\b/ then "Cline"
+                when /\bcontinue\s+(chat|review|fix|ask|suggest|generate|dev)\b/ then "Continue"
+                when /\bwindsurf\b/ then "Windsurf"
+                when /\bcodex\b/ then "Codex"
+                when /\bdevin\b/ then "Devin"
+                else "AI tool"
+                end
+            else
+                "AI tool"
+            end
+        end
+    end
+end

data/lib/rules/concerns/guard_patterns.rb

@@ -0,0 +1,184 @@
+module Rules
+    module GuardPatterns
+        SAFE_TRIGGERS = %w[
+            workflow_dispatch schedule push workflow_call release
+            deployment deployment_status create delete
+            page_build watch fork star gollum
+        ].freeze
+
+        JOB_PROPERTIES = %w[
+            steps runs-on env strategy permissions outputs concurrency
+            services needs container timeout-minutes if name defaults
+        ].freeze
+
+        DANGEROUS_CONTEXTS = %w[
+            github.event.pull_request.title
+            github.event.pull_request.body
+            github.event.pull_request.head.ref
+            github.event.pull_request.head.label
+            github.event.issue.title
+            github.event.issue.body
+            github.event.comment.body
+            github.event.review.body
+            github.event.discussion.title
+            github.event.discussion.body
+            github.event.workflow_run.head_branch
+            github.head_ref
+        ].freeze
+
+        def safe_trigger_only?(workflow)
+            trigger_names = case workflow.triggers
+            when Hash then workflow.triggers.keys.map(&:to_s)
+            when Array then workflow.triggers.map(&:to_s)
+            when String then [workflow.triggers]
+            else []
+            end
+
+            trigger_names.any? && trigger_names.all? { |t| SAFE_TRIGGERS.include?(t) }
+        end
+
+        def guarded_by_safe_event?(workflow, line_num)
+            guarded_by_step_if?(workflow, line_num) || guarded_by_job_if?(workflow, line_num)
+        end
+
+        def strip_inline_comment(line)
+            in_single_quote = false
+            in_double_quote = false
+
+            i = 0
+            while i < line.length
+                char = line[i]
+
+                if char == "'" && !in_double_quote
+                    in_single_quote = !in_single_quote
+                elsif char == '"' && !in_single_quote
+                    in_double_quote = !in_double_quote
+                elsif char == '#' && !in_single_quote && !in_double_quote
+                    # Only strip if preceded by whitespace (or at start of line content)
+                    if i == 0 || line[i - 1] =~ /\s/
+                        return line[0...i].rstrip
+                    end
+                end
+
+                i += 1
+            end
+
+            line
+        end
+
+        private
+
+        # Walk upward from line_num looking for a step-level `if:` guard.
+        # Stop at step boundaries: a line matching `^\s*-\s+` at the same or
+        # lower indent as the step's dash signals a different step.
+        def guarded_by_step_if?(workflow, line_num)
+            (line_num - 2).downto([line_num - 30, 0].max) do |i|
+                content = workflow.raw_lines[i]
+                next unless content
+
+                # Found step-level `if:` before hitting a boundary
+                if content.match?(/^\s+if:\s*/)
+                    condition = content[/if:\s*(.+)/, 1]&.strip
+                    return safe_guard_condition?(condition) if condition
+                end
+
+                # Step boundary: a line starting with `- ` at step indent
+                if content.match?(/^\s+-\s+\S/)
+                    # Check if the step boundary itself is `- if:` (guard on dash line)
+                    if content.match?(/^\s+-\s+if:\s*/)
+                        condition = content[/if:\s*(.+)/, 1]&.strip
+                        return safe_guard_condition?(condition) if condition
+                    end
+                    break
+                end
+
+                # Job-level key (no dash prefix, at job indent) means we've left the step
+                if content.match?(/^\s+\w[\w-]*:/) && !content.match?(/^\s+-/)
+                    indent = content[/^\s*/].length
+                    # If this is shallow (job key level), stop
+                    break if indent <= 6
+                end
+            end
+
+            false
+        end
+
+        # Walk upward from line_num looking for a job-level `if:` guard.
+        # Stop at `jobs:` key or when crossing into a different job.
+        def guarded_by_job_if?(workflow, line_num)
+            # Track job key boundaries: the first job key we encounter going
+            # upward is the enclosing job; the second means we've left it.
+            job_keys_seen = 0
+            enclosing_job_line = nil
+
+            (line_num - 2).downto(0) do |i|
+                content = workflow.raw_lines[i]
+                next unless content
+
+                # `jobs:` means we've gone too far without finding a job-level if:
+                return false if content.match?(/^jobs:\s*$/)
+
+                # Detect job key lines (e.g. "  build:" at job-key indent)
+                if content.match?(/^\s+(\w[\w-]*):\s*$/)
+                    key_name = content[/^\s+(\w[\w-]*):\s*$/, 1]
+                    key_indent = content[/^\s*/].length
+                    # Job keys are typically at indent 2 (under `jobs:`);
+                    # skip known job properties (steps:, permissions:, etc.)
+                    if key_indent <= 4 && !JOB_PROPERTIES.include?(key_name)
+                        job_keys_seen += 1
+                        enclosing_job_line = i if job_keys_seen == 1
+                        # Second job key means we've crossed into a different job
+                        return false if job_keys_seen > 1
+                    end
+                end
+
+                # Job-level `if:` — directly under a job key, typically at indent 4 or 6
+                if content.match?(/^\s+if:\s*/)
+                    # Check if this is job-level (not step-level) by verifying indent
+                    if_indent = content[/^\s*/].length
+
+                    # Look further up to see if there's a job key at indent - 2
+                    (i - 1).downto([i - 15, 0].max) do |j|
+                        above = workflow.raw_lines[j]
+                        next unless above
+
+                        if above.match?(/^\s+\w[\w-]*:\s*$/)
+                            above_indent = above[/^\s*/].length
+                            # The job key above must be our enclosing job, not a
+                            # different one. If we already found the enclosing job
+                            # key, verify this `if:` belongs to it.
+                            if if_indent == above_indent + 2 &&
+                               (enclosing_job_line.nil? || j == enclosing_job_line)
+                                condition = content[/if:\s*(.+)/, 1]&.strip
+                                return safe_guard_condition?(condition) if condition
+                            end
+                            break
+                        end
+                    end
+                end
+
+                # `steps:` key means we've passed from steps into job-level territory
+                next if content.match?(/^\s+steps:\s*$/)
+            end
+
+            false
+        end
+
+        # Check if a simple `if:` condition clearly excludes attacker-controlled triggers.
+        # Only matches simple single-clause guards, not complex boolean expressions.
+        def safe_guard_condition?(condition)
+            # Strip ${{ }} wrapper if present
+            condition = condition.gsub(/\$\{\{\s*/, '').gsub(/\s*\}\}/, '').strip
+
+            # Reject complex expressions
+            return false if condition.match?(/(\|\||&&|always\s*\(|failure\s*\(|cancelled\s*\()/)
+
+            # Pattern: github.event_name == 'push' (or any SAFE_TRIGGER)
+            if (m = condition.match(/\Agithub\.event_name\s*==\s*['"](\w+)['"]\z/))
+                return SAFE_TRIGGERS.include?(m[1])
+            end
+
+            false
+        end
+    end
+end

data/lib/rules/github_script_injection.rb

@@ -1,35 +1,26 @@
+require_relative "concerns/guard_patterns"
+
 module Rules
     class GithubScriptInjection < Base
+        include GuardPatterns
+
         def name = "github-script-injection"
         def description = "Attacker-controllable ${{ }} expression in actions/github-script"
         def severity = :critical
 
-        DANGEROUS_CONTEXTS = %w[
-            github.event.pull_request.title
-            github.event.pull_request.body
-            github.event.pull_request.head.ref
-            github.event.pull_request.head.label
-            github.event.issue.title
-            github.event.issue.body
-            github.event.comment.body
-            github.event.review.body
-            github.event.discussion.title
-            github.event.discussion.body
-            github.event.workflow_run.head_branch
-            github.head_ref
-            github.actor
-            github.triggering_actor
-        ].freeze
-
         PATTERN = /\$\{\{\s*(#{DANGEROUS_CONTEXTS.map { |c| Regexp.escape(c) }.join('|')})/
 
         def check(workflow)
             findings = []
 
+            return [] if safe_trigger_only?(workflow)
+
             workflow.raw_lines.each_with_index do |line, idx|
                 line_num = idx + 1
+                next if line.strip.start_with?('#')
                 next unless line.match?(PATTERN)
                 next unless in_github_script_block?(workflow, line_num)
+                next if guarded_by_safe_event?(workflow, line_num)
 
                 match = line.match(PATTERN)
                 next unless match
@@ -55,22 +46,18 @@ module Rules
                 content = workflow.raw_lines[i]
                 next unless content
 
-                # Found script: key — check if we're within a github-script step
                 if content.match?(/^\s+script:\s*[\|>]?\s*$/) || content.match?(/^\s+script:\s+\S/)
                     in_script = true
                     script_indent = content[/^\s*/].length
-                    # Now look further up for the uses: actions/github-script line
                     i.downto([i - 15, 0].max) do |j|
                         step_line = workflow.raw_lines[j]
                         next unless step_line
                         return true if step_line.match?(/uses:\s*actions\/github-script/)
-                        # Stop if we hit another step boundary
                         break if step_line.match?(/^\s+-\s+(name|uses|run|if|id):/)
                     end
                     return false
                 end
 
-                # If we hit a different key at the same or lower indent, we're outside the block
                 if content.match?(/^\s+(uses|run|if|id|name|env|with):/) || content.match?(/^\s+-\s+(name|uses|run):/)
                     return false
                 end

data/lib/rules/hardcoded_secrets.rb

@@ -17,7 +17,7 @@ module Rules
 
         PASSWORD_PATTERN = /password:\s*[^\s${\#]+/i
         SAFE_VALUE_PATTERN = /\$\{\{.*\}\}|\$[A-Z_]+/
-        SAFE_PASSWORDS = %w[postgres password test example changeme admin root dummy placeholder].freeze
+        SAFE_PASSWORDS = %w[postgres password test example changeme admin root dummy placeholder true false].freeze
 
         def check(workflow)
             findings = []

data/lib/rules/shell_injection_expr.rb

@@ -1,40 +1,32 @@
+require_relative "concerns/guard_patterns"
+
 module Rules
     class ShellInjectionExpr < Base
+        include GuardPatterns
+
         def name = "shell-injection-expr"
         def description = "Attacker-controllable ${{ }} expression in run: block"
         def severity = :critical
 
-        DANGEROUS_CONTEXTS = %w[
-            github.event.pull_request.title
-            github.event.pull_request.body
-            github.event.pull_request.head.ref
-            github.event.pull_request.head.label
-            github.event.issue.title
-            github.event.issue.body
-            github.event.comment.body
-            github.event.review.body
-            github.event.discussion.title
-            github.event.discussion.body
-            github.event.workflow_run.head_branch
-            github.head_ref
-            github.actor
-            github.triggering_actor
-        ].freeze
-
         PATTERN = /\$\{\{\s*(#{DANGEROUS_CONTEXTS.map { |c| Regexp.escape(c) }.join('|')})/
 
         def check(workflow)
             findings = []
+
+            return [] if safe_trigger_only?(workflow)
+
             workflow.lines_of(PATTERN).each do |line_num|
                 line = workflow.line_content(line_num)
+                next if line.strip.start_with?('#')
                 next unless in_run_block?(workflow, line_num)
+                next if guarded_by_safe_event?(workflow, line_num)
 
                 match = line.match(PATTERN)
                 next unless match
 
                 findings << finding(workflow,
                     line: line_num,
-                    code: line.strip,
+                    code: workflow.line_content(line_num).strip,
                     message: "Attacker-controllable expression ${{ #{match[1]} }} in run: block — shell injection risk",
                     fix: "Move to env: block and reference as $ENV_VAR in the shell"
                 )

data/lib/rules/shell_injection_jq.rb

@@ -1,5 +1,9 @@
+require_relative "concerns/guard_patterns"
+
 module Rules
     class ShellInjectionJq < Base
+        include GuardPatterns
+
         def name = "shell-injection-jq"
         def description = "Shell variable interpolated in double-quoted jq/curl JSON argument"
         def severity = :critical
@@ -11,11 +15,17 @@ module Rules
 
         JQ_PATTERN = /jq\s+([a-zA-Z-]+\s+)*--arg\s+\w+\s+"[^"]*\$\{/
         CURL_JSON_PATTERN = /curl\s.*-d\s+"[^"]*\$\{/
+
         def check(workflow)
             findings = []
 
+            return [] if safe_trigger_only?(workflow)
+
             workflow.raw_lines.each_with_index do |line, i|
                 line_num = i + 1
+                next if line.strip.start_with?('#')
+                next unless in_run_block?(workflow, line_num)
+                next if guarded_by_safe_event?(workflow, line_num)
 
                 if line.match?(JQ_PATTERN)
                     var_match = line.match(/\$\{(\w+)\}/)
@@ -51,6 +61,25 @@ module Rules
 
         private
 
+        def in_run_block?(workflow, target_line)
+            target_content = workflow.raw_lines[target_line - 1]
+            target_indent = target_content ? target_content[/^\s*/].length : 0
+
+            (target_line - 1).downto([target_line - 20, 0].max) do |i|
+                content = workflow.raw_lines[i]
+                next unless content
+
+                return true if content.match?(/^\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+run:\s+\S/)
+                return true if content.match?(/^\s+-\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+-\s+run:\s+\S/)
+
+                if content.match?(/^\s+(uses|with|if|id|name|env):/) || content.match?(/^\s+-\s+name:/)
+                    line_indent = content[/^\s*/].length
+                    return false if target_indent <= line_indent + 2
+                end
+            end
+            false
+        end
+
         def potentially_attacker_controlled?(var_name)
             ATTACKER_ENV_VARS.any? { |v| var_name.upcase == v } ||
                 var_name.match?(/^(PR_|ISSUE_|COMMENT_)?(TITLE|BODY|HEAD_REF|BRANCH_NAME|COMMENT_BODY|AUTHOR)$/i)

data/lib/rules/workflow_dispatch_injection.rb

@@ -1,24 +1,33 @@
+require_relative "concerns/guard_patterns"
+
 module Rules
     class WorkflowDispatchInjection < Base
+        include GuardPatterns
+
         def name = "workflow-dispatch-injection"
         def description = "User-controlled workflow_dispatch input in run: block"
         def severity = :high
 
         PATTERN = /\$\{\{\s*(?:inputs\.|github\.event\.inputs\.)/
 
+        # NOTE: This rule intentionally does NOT use safe_trigger_only? because
+        # dispatch inputs are user-controlled. workflow_dispatch IS in SAFE_TRIGGERS
+        # for other rules, but this rule specifically targets ${{ inputs.* }} in
+        # run blocks — those inputs are always attacker-controlled.
+
         def check(workflow)
             findings = []
 
             workflow.lines_of(PATTERN).each do |line_num|
                 line = workflow.line_content(line_num)
+                next if line.strip.start_with?('#')
                 next unless in_run_block?(workflow, line_num)
-
                 match = line.match(/\$\{\{\s*((?:inputs|github\.event\.inputs)\.[^\s}]+)/)
                 next unless match
 
                 findings << finding(workflow,
                     line: line_num,
-                    code: line.strip,
+                    code: workflow.line_content(line_num).strip,
                     message: "User-controlled input ${{ #{match[1]} }} in run: block — shell injection risk",
                     fix: "Move to env: block and reference as $ENV_VAR"
                 )
@@ -40,9 +49,6 @@ module Rules
                 return true if content.match?(/^\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+run:\s+\S/)
                 return true if content.match?(/^\s+-\s+run:\s*[\|>]?\s*$/) || content.match?(/^\s+-\s+run:\s+\S/)
 
-                # Stop at step-level keys, but only if the target line is at or
-                # shallower than this key's indent (meaning the target is a sibling
-                # or child of this key, not content of a deeper run: block).
                 if content.match?(/^\s+(uses|with|if|id|name|env):/) || content.match?(/^\s+-\s+name:/)
                     line_indent = content[/^\s*/].length
                     return false if target_indent <= line_indent + 2

data/lib/scanner.rb

@@ -124,7 +124,7 @@ class Scanner
             findings: findings
         )
 
-        { output: output, findings: findings, workflow_count: workflow_count }
+        { output: output, findings: findings, workflow_count: workflow_count, workflows: raw_workflows || [] }
     end
 
     def scan_org(org)

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Sentinel
-    VERSION = "1.3.0"
+    VERSION = "1.3.1"
 end

data/lib/workflow.rb

@@ -7,7 +7,7 @@ class Workflow
         @filename = filename
         @raw = content
         @raw_lines = content.lines
-        @data = YAML.safe_load(content) || {}
+        @data = YAML.safe_load(content, aliases: true) || {}
     rescue YAML::SyntaxError => e
         @data = {}
         @parse_error = e.message

data/mcp/server.rb

@@ -214,7 +214,7 @@ class McpServer
                 patched = AutoFix.apply(finding, content, sha_resolver: sha_resolver)
                 if patched && patched != content
                     begin
-                        YAML.safe_load(patched)
+                        YAML.safe_load(patched, aliases: true)
                         content = patched
                     rescue YAML::SyntaxError => e
                         $stderr.puts "MCP fix: invalid YAML for #{finding.rule} in #{file}, skipping: #{e.message}"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sentinel-ci
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - Jordan Ritter
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-19 00:00:00.000000000 Z
+date: 2026-05-22 00:00:00.000000000 Z
 dependencies: []
 description: Scan GitHub Actions workflows for 32 security vulnerabilities. SHA pinning,
   shell injection, credential exposure, dangerous triggers. Optional AI-powered remediation
@@ -44,10 +44,12 @@ files:
 - lib/platforms/shared_patterns.rb
 - lib/policy.rb
 - lib/rule_engine.rb
+- lib/rules/ai_config_injection.rb
 - lib/rules/allow_forks_artifact.rb
 - lib/rules/base.rb
 - lib/rules/build_publish_same_job.rb
 - lib/rules/cache_poisoning.rb
+- lib/rules/concerns/guard_patterns.rb
 - lib/rules/credential_window.rb
 - lib/rules/curl_pipe_shell.rb
 - lib/rules/dangerous_lifecycle_scripts.rb