iac/actions/gha-pull-request-target-checkout-head
pull_request_target checks out untrusted PR code
What it detects
pull_request_target runs with repository secrets available. Checking out the PR head (github.event.pull_request.head.sha / head.ref / github.head_ref) under this trigger executes attacker-controlled code with write access and exposes all secrets — the root cause of the GhostAction / s1ngularity wave of breaches.
Remediation
Either switch to `pull_request` (no secrets exposed), or keep `pull_request_target` but checkout the base branch ref only and never run code from the PR.
How it runs
Run against `.github/workflows/*.yml` files. Targets the published patterns behind real-world breaches (GhostAction, s1ngularity, tj-actions/changed-files).
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.