Detection rules › Panther
GitHub Workflow Downloading Artifacts
Detects when a GitHub Actions workflow downloads artifacts.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195.002 Supply Chain Compromise: Compromise Software Supply Chain |
| Stealth | T1027 Obfuscated Files or Information |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body yaml
AnalysisType: rule
Filename: github_workflow_artifact_download.py
RuleID: "GitHub.Webhook.WorkflowArtifactDownload"
DisplayName: "GitHub Workflow Downloading Artifacts"
Enabled: true
LogTypes:
- GitHub.Webhook
Reports:
MITRE ATT&CK:
- TA0001:T1195.002 # Supply Chain Compromise: Compromise Software Supply Chain
- TA0005:T1027 # Defense Evasion: Obfuscated Files or Information
Tags:
- CI/CD
- Workflow
- Artifacts
CreateAlert: false
Severity: Info
Description: Detects when a GitHub Actions workflow downloads artifacts.
Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/#pwn-request-with-artifact-upload
Tests:
- Name: "Workflow with artifact download"
ExpectedResult: true
Log:
action: "completed"
workflow_job:
id: 52841003143
name: "Deploy"
status: "completed"
conclusion: "success"
run_id: 12345678
steps:
- name: "Setup"
status: "completed"
conclusion: "success"
- name: "Download artifact"
status: "completed"
conclusion: "success"
- name: "Deploy"
status: "completed"
conclusion: "success"
repository:
id: 123456789
full_name: "example-org/example-repo"
- Name: "Workflow with actions/download-artifact"
ExpectedResult: true
Log:
action: "completed"
workflow_job:
id: 52841003144
name: "Process Build"
status: "completed"
conclusion: "success"
run_id: 12345679
steps:
- name: "Checkout"
status: "completed"
conclusion: "success"
- name: "actions/download-artifact@v4"
status: "completed"
conclusion: "success"
- name: "Process"
status: "completed"
conclusion: "success"
repository:
id: 123456789
full_name: "example-org/example-repo"
- Name: "Workflow with restore artifact step"
ExpectedResult: true
Log:
action: "completed"
workflow_job:
id: 52841003145
name: "Test Results"
status: "completed"
conclusion: "success"
run_id: 12345680
steps:
- name: "Restore Artifact from Previous Run"
status: "completed"
conclusion: "success"
repository:
id: 123456789
full_name: "example-org/example-repo"
- Name: "Workflow without artifact download"
ExpectedResult: false
Log:
action: "completed"
workflow_job:
id: 52841003146
name: "Build"
status: "completed"
conclusion: "success"
run_id: 12345681
steps:
- name: "Checkout"
status: "completed"
conclusion: "success"
- name: "Build"
status: "completed"
conclusion: "success"
- name: "Upload artifact"
status: "completed"
conclusion: "success"
repository:
id: 123456789
full_name: "example-org/example-repo"
- Name: "Workflow job in progress"
ExpectedResult: false
Log:
action: "in_progress"
workflow_job:
id: 52841003147
name: "Deploy"
status: "in_progress"
run_id: 12345682
steps:
- name: "Download artifact"
status: "in_progress"
repository:
id: 123456789
full_name: "example-org/example-repo"
Detection logic
Condition
action eq "completed"
workflow_job.steps array_any
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
action | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
name | workflow_job.name |
full_name | repository.full_name |