High-risk tools in GitHub
10 of the 256 tools in GitHub are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
actions_run_triggerExecuteTrigger GitHub Actions workflow actions
-
base_refExecuteGit reference (e.g., branch) that the agent will start its work from. If not specified, defaults to the repository's default branch (string, optional)
-
dry_runExecuteShow what would be pruned without actually pruning (optional, default: false) (boolean, optional)
-
failed_onlyExecuteWhen true, gets logs for all failed jobs in the workflow run specified by run_id. Requires run_id to be provided. (boolean, optional)
-
new_branchExecuteCreate a new branch with this name in the worktree (optional) (string, optional)
-
new_nameExecuteNew name for the label (used only with 'update' method to rename) (string, optional)
-
run_idExecuteThe unique identifier of the workflow run. Required when failed_only is true to get logs for all failed jobs in the run. (number, optional)
-
start_dateExecuteThe start date of the status update in YYYY-MM-DD format. Used for 'create_project_status_update' method. (string, optional)
-
startLineExecuteFor multi-line comments, the first line of the range that the comment applies to (number, optional)
-
startSideExecuteFor multi-line comments, the starting side of the diff that the comment applies to. LEFT indicates the previous state, RIGHT indicates the new state (string, optional)
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.