LoFP LoFP / github

github rule

TitleTags
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
allowed administrative activities.
allowed self-hosted runners changes in the environment.
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
approved administrator/owner activities.
approved changes by the organization owner. please validate the 'actor' if authorized to make the changes.
archiving or unarchiving a repository is often legitimate. investigate this action to determine if it was authorized.
authorized self-hosted github actions runner.
legitimate ci/cd automation that commits and pushes changes (e.g., auto-formatting, changelog updates, version bumps, dependabot auto-merge) will trigger this alert on first use in a repository. review the repository's workflow configurations to determine if bot pushes are expected.
legitimate ci/cd automation that requires workflow file modifications may trigger this alert if not properly configured with the necessary permissions. review the workflow configuration and ensure the github_token or pat has the required 'workflows' permission if the modification is intentional.
legitimate publishing of repository pages by authorized users
organization approved new members
this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".
validate the actor if permitted to access the repo.
validate the deletion activity is permitted. the \"actor\" field need to be validated.
validate the multifactor authentication changes.