legitimate ci/cd automation that commits and pushes changes (e.g., auto-formatting, changelog updates, version bumps, dependabot auto-merge) will trigger this alert on first use in a repository. review the repository's workflow configurations to determine if bot pushes are expected.

t1059
t1195
github
elastic

Techniques

T1059
T1195

Sample rules

GitHub Actions Unusual Bot Push to Repository

source: elastic
technicques:
- T1059
- T1195

Description

Detects when the github-actions[bot] pushes code to a repository where it has not performed this behavior before in a certain time window. This may indicate a supply chain attack where malicious code running in a CI workflow attempts to modify repository contents, such as injecting backdoor workflow files.

Detection logic

event.dataset: "github.audit" and
    event.action: "git.push" and
    user.name: "github-actions[bot]"