Skip to content

Actions: Add experimental prompt injection queries for CWE 1427#21675

Draft
data-douser wants to merge 2 commits intogithub:mainfrom
data-douser:codeql-actions-scs/cwe-1427
Draft

Actions: Add experimental prompt injection queries for CWE 1427#21675
data-douser wants to merge 2 commits intogithub:mainfrom
data-douser:codeql-actions-scs/cwe-1427

Conversation

@data-douser
Copy link
Copy Markdown
Contributor

@data-douser data-douser commented Apr 9, 2026

Actions: Add experimental CWE-1427 prompt injection queries

Description

Adds detection for prompt injection vulnerabilities (CWE-1427) in GitHub Actions workflows that pass user-controlled data into AI inference action prompts.

As AI-powered GitHub Actions (e.g. actions/ai-inference, anthropics/claude-code-action, google-github-actions/run-gemini-cli, warpdotdev/oz-agent-action) become more widely adopted in CI/CD workflows, attackers can craft malicious issue titles, PR bodies, comments, or branch names that get interpolated directly into AI prompts — potentially hijacking AI behavior to exfiltrate secrets, produce misleading output, or influence downstream automation.

New queries

Query ID Severity Description
actions/prompt-injection/critical 9.0 (error) User-controlled data flowing into AI prompts in privileged contexts (issues, issue_comment, pull_request_review, repository_dispatch, workflow_run, etc.)
actions/prompt-injection/medium 5.0 (warning) User-controlled data flowing into AI prompts on non-privileged or read-only events (pull_request, pull_request_target with read permissions) not already caught by Critical

New library and MaD models

  • PromptInjectionQuery.qll: Taint-tracking configuration from RemoteFlowSource to MaD-defined prompt-injection sinks, with severity-tiered predicates for Critical vs Medium.
  • prompt_injection_sinks.model.yml: 30+ actionsSinkModel entries covering GitHub official AI actions, Anthropic, Google, OpenAI, Warp, and community AI actions from the GitHub Marketplace.
  • ControlChecks.qll: Added "prompt-injection" to control check categories so existing ActorCheck, AssociationCheck, etc. can suppress findings where appropriate.

Variant analysis results

The queries were validated through MRVA across 479 CodeQL actions databases:

  • Critical: 10 true positive findings across 4 repos on privileged events
  • Medium: 2+ findings on pull_request_target events with read-only permissions (previously missed)
  • 0 false positives observed — findings suppressed correctly by AssociationCheck (author_association) and ActorCheck (github.actor) control checks

Test coverage

  • 15 test workflow fixtures: 11 vulnerable (covering issues, issue_comment, repository_dispatch, pull_request, pull_request_review, pull_request_target, workflow_run events across 4 different AI actions) and 4 safe (hardcoded prompts, push events, author_association checks, actor checks)
  • All tests passing for both Critical and Medium queries

References

@data-douser
actions: experimental queries to detect CWE-1427
11d55d8 
Add detection for prompt injection vulnerabilities (CWE-1427) in GitHub
Actions workflows that use AI inference actions.

New queries:
- PromptInjectionCritical.ql: Detects user-controlled data flowing into
  AI prompts in privileged contexts (severity 9.0)
- PromptInjectionMedium.ql: Detects prompt injection on non-privileged
  but externally triggerable events like pull_request (severity 5.0)

New library:
- PromptInjectionQuery.qll: Taint tracking from remote flow sources to
  MaD-defined prompt-injection sinks

MaD model (prompt_injection_sinks.model.yml):
- 30+ AI actions including actions/ai-inference, anthropics/claude-code-action,
  google-github-actions/run-gemini-cli, warpdotdev/oz-agent-action, and others

ControlChecks.qll: Add 'prompt-injection' to control check categories
@github-actions github-actions bot added documentation Actions Analysis of GitHub Actions labels Apr 9, 2026
@data-douser data-douser changed the title Actions: Add experimental prompt injection queries for CWE1427 Actions: Add experimental prompt injection queries for CWE 1427 Apr 9, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 9, 2026
View reviewed changes
actions/ql/test/query-tests/Security/CWE-1427/PromptInjectionCritical.qlref
@@ -0,0 +1 @@
experimental/Security/CWE-1427/PromptInjectionCritical.ql
actions/ql/test/query-tests/Security/CWE-1427/PromptInjectionMedium.qlref
@@ -0,0 +1 @@
experimental/Security/CWE-1427/PromptInjectionMedium.ql
@data-douser data-douser requested a review from knewbury01 April 9, 2026 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knewbury01 knewbury01 Awaiting requested review from knewbury01

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Actions Analysis of GitHub Actions documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@data-douser @github-advanced-security