{"meta":{"title":"GitHub Actions 查询 CodeQL 分析","intro":"在选择 default 或 security-extended 查询套件时,探索 CodeQL 用于分析 GitHub Actions 工作流文件中代码的查询。","product":"安全性和代码质量","breadcrumbs":[{"href":"/zh/code-security","title":"安全性和代码质量"},{"href":"/zh/code-security/reference","title":"Reference"},{"href":"/zh/code-security/reference/code-scanning","title":"代码扫描"},{"href":"/zh/code-security/reference/code-scanning/codeql","title":"CodeQL"},{"href":"/zh/code-security/reference/code-scanning/codeql/codeql-queries","title":"内置 CodeQL 查询"},{"href":"/zh/code-security/reference/code-scanning/codeql/codeql-queries/actions-built-in-queries","title":"操作查询"}],"documentType":"article"},"body":"# GitHub Actions 查询 CodeQL 分析\n\n在选择 default 或 security-extended 查询套件时,探索 CodeQL 用于分析 GitHub Actions 工作流文件中代码的查询。\n\nCodeQL 包含许多用于分析 GitHub Actions 工作流的查询。 默认情况下,`default` 查询套件中的所有查询都会运行。 如果选择使用 `security-extended` 查询套件,则会运行其他查询。 有关详细信息,请参阅“[CodeQL 查询套件](/zh/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)”。\n\n## GitHub Actions 分析的内置查询\n\n下表列出了最新版本的 CodeQL 操作和 CodeQL CLI 的可用查询。 有关详细信息,请参阅 CodeQL 文档中的 [CodeQL 更改日志](https://codeql.github.com/docs/codeql-overview/codeql-changelog/)。\n\n
\n\n| 查询名称 | 相关的 CWE | 默认 | 延期 | Copilot自动修复 |\n| ----------------------------------------------------------------------------------------------------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| [工件中毒](https://codeql.github.com/codeql-query-help/actions/actions-artifact-poisoning-critical/) | 829 | | | |\n| [通过缓存不受信任的文件导致缓存中毒](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-direct-cache/) | 349 | | | |\n| [通过执行不受信任的代码导致缓存中毒](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-poisonable-step/) | 349 | | | |\n| [通过低特权代码注入导致缓存中毒](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-code-injection/) | 349, 094 | | | |\n| [在特权上下文中签出不受信任的代码](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-critical/) | 829 | | | |\n| [在受信任上下文中签出不受信任的代码](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-high/) | 829 | | | |\n| [代码注入](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) | 094、095、116 | | | |\n| [从用户控制的来源生成的环境变量](https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/) | 077, 020 | | | |\n| [机密暴露过多](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) | 312 | | | |\n| [访问控制不当](https://codeql.github.com/codeql-query-help/actions/actions-improper-access-control/) | 285 | | | |\n| [从用户控制的来源生成的 PATH 环境变量](https://codeql.github.com/codeql-query-help/actions/actions-envpath-injection-critical/) | 077, 020 | | | |\n| [在 GitHub Actions 工件中存储敏感信息](https://codeql.github.com/codeql-query-help/actions/actions-secrets-in-artifacts/) | 312 | | | |\n| [未屏蔽的机密暴露](https://codeql.github.com/codeql-query-help/actions/actions-unmasked-secret-exposure/) | 312 | | | |\n| [不受信任的签出 TOCTOU](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-toctou-critical/) | 367 | | | |\n| [不受信任的签出 TOCTOU](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-toctou-high/) | 367 | | | |\n| [使用已知易受攻击的操作](https://codeql.github.com/codeql-query-help/actions/actions-vulnerable-action/) | 1395 | | | |\n| [工作流不包含权限](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/) | 275 | | | |\n| [工件中毒](https://codeql.github.com/codeql-query-help/actions/actions-artifact-poisoning-medium/) | 829 | | | |\n| [在受信任上下文中签出不受信任的代码](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-medium/) | 829 | | | |\n| [代码注入](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) | 094、095、116 | | | |\n| [从用户控制的来源生成的环境变量](https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-medium/) | 077, 020 | | | |\n| [从用户控制的来源生成的 PATH 环境变量](https://codeql.github.com/codeql-query-help/actions/actions-envpath-injection-medium/) | 077, 020 | | | |\n| [工作流中非不可变操作的取消固定标记](https://codeql.github.com/codeql-query-help/actions/actions-unpinned-tag/) | 829 | | | |\n\n
"}