feat(workflow-scanner): E11 part 1 — core file-walk + 23-field blacklist + sink-restriction
Adds a deterministic GitHub Actions / Forgejo Actions injection
scanner. Detects \${{ <dangerous-field> }} interpolations inside
\`run:\` step blocks under privileged or semi-privileged triggers.
Sink-restricted: \`if:\` / \`with:\` / \`env:\` (block-level) are
evaluated by the runner expression engine, not the shell, so they
are NOT injection sinks and are suppressed at parser level.
Why: workflow expression injection is the most prevalent SAST class
on GitHub (CodeQL preview: 800K+ findings across 158K repos). The
graduated severity matrix (HIGH for pull_request_target / discussion
/ workflow_run; MEDIUM for pull_request / workflow_dispatch) is the
community-converged calibration target — uniform HIGH causes alert
fatigue.
Components:
- scanners/lib/workflow-yaml-state.mjs — line-based YAML state
machine. Tracks indentation, parent-context stack, and
\`run: |\` / \`run: >\` block-scalar entry/exit. Zero deps.
- scanners/workflow-scanner.mjs — discoverWorkflows() probes
.github/workflows/ and .forgejo/workflows/ directly (file-discovery
has no glob include). 23-field blacklist (GHSL 17 + 6 GlueStack-
class additions). Platform encoded via file path; no schema
extension to finding(). Forgejo-specific: workflow_run advisory
emitted to stderr; recommendation text mentions Forgejo's
server-level token scoping (job-level permissions: is ignored).
- knowledge/workflow-injection-patterns.md — 23-field blacklist,
trigger taxonomy, severity matrix, Forgejo divergences, NVD CVE
corpus.
Tests (47 new):
- tests/lib/workflow-yaml-state.test.mjs (15): trigger forms
(string / inline-list / block-list / block-mapping), single-line
run, block-scalar | and > tracking, env/with sink-mismatch,
multi-line, comment stripping, line-number accuracy.
- tests/scanners/workflow-scanner.test.mjs (14): TP head_ref
pull_request_target, TP discussion.title gluestack pattern,
TP comment.body pull_request, TP issue.body block-scalar,
FP if-context, FP env-block, INFO numeric, Forgejo TP, Forgejo
workflow_run advisory, envelope shape, WFL prefix.
- 9 fixtures in tests/fixtures/workflows/{.github,.forgejo}/workflows/.
Out of scope (B4 / Batch D):
- Re-interpolation detection (env.VAR after env: from blacklisted source)
- github.actor authorization-bypass category
- WFL prefix in severity.mjs OWASP maps + scan-orchestrator
registration (B4)
- Composite-action input tracing, GITHUB_ENV poisoning (Batch D)
Test count: 1685 → 1732 (+47). Pre-compact-scan flake unchanged
(passes in isolation).
c31d4b1718