actsense - GitHub Actions Security Auditor

Self Hosted Runner Write All

Description

Self-hosted runners with write-all permissions create extreme security risks: write-all grants excessive access to repository resources, and if the runner is compromised, attackers have full write access to modify code, create backdoors, or exfiltrate data. Self-hosted runners with write-all are extremely dangerous and violate the principle of least privilege. ¹ ²

Vulnerable Instance

Workflow uses self-hosted runners with permissions: write-all or no explicit permissions (defaults to write-all).
Compromised runner can modify repository contents, create backdoors, or exfiltrate data.
Full repository access enables persistent compromise.

name: Build with Write All
on: [push]
jobs:
  build:
    runs-on: self-hosted
    permissions:
      contents: write  # Dangerous on self-hosted
    steps:
      - uses: actions/checkout@v4
      - run: npm test

Mitigation Strategies

Use specific, scoped permissions
Grant only the minimum permissions required. Use contents: read, pull-requests: read, etc., instead of write-all.
Follow principle of least privilege
Review what the workflow actually needs. Grant only the minimum permissions required and avoid write-all at all costs.
Use job-level permissions
Scope permissions to specific jobs. Use different permissions for different jobs and minimize permissions on self-hosted runners.
Prefer GitHub-hosted runners
Use GitHub-hosted runners when possible. They’re isolated and ephemeral, reducing the risk of compromise.
Regularly audit permissions
Review all workflow permissions, remove unnecessary permissions, and document why permissions are needed.
Isolate self-hosted runners
If write permissions are necessary, isolate self-hosted runners in separate networks with minimal access to other systems.

Secure Version

 name: Build with Minimal Permissions
 on: [push]
 jobs:
   build:
     runs-on: self-hosted
     permissions:
-      contents: write  # Dangerous on self-hosted
+      contents: read  # Only what's needed
+      pull-requests: read
     steps:
       - uses: actions/checkout@v4
       - run: npm test

Impact

Dimension	Severity	Notes
Likelihood		Write-all permissions on self-hosted runners are less common but create extreme risk when present.
Risk		Compromised runners with write-all can modify code, create backdoors, or exfiltrate data, enabling persistent repository compromise.
Blast radius		Full repository write access can affect all code, workflows, and secrets in the repository, potentially compromising the entire codebase.

References

GitHub Docs, “Permissions for the GITHUB_TOKEN,” https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token ¹
GitHub Docs, “About self-hosted runners,” https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners ²

GitHub Docs, “Permissions for the GITHUB_TOKEN,” https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token ↩︎ ↩︎
GitHub Docs, “About self-hosted runners,” https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners ↩︎ ↩︎

Last updated on January 1, 2026

Self Hosted Runner Secrets in Run Shell Injection