Skip to content

ericcornelissen/ades

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

209 Commits

.github

.github

 
 

cmd/ades

cmd/ades

 
 

test

test

 
 

web

web

 
 

.editorconfig

.editorconfig

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

COPYING.txt

COPYING.txt

 
 

Containerfile

Containerfile

 
 

Containerfile.dev

Containerfile.dev

 
 

DCO.txt

DCO.txt

 
 

README.md

README.md

 
 

RELEASE.md

RELEASE.md

 
 

RULES.md

RULES.md

 
 

SECURITY.md

SECURITY.md

 
 

analyze.go

analyze.go

 
 

analyze_test.go

analyze_test.go

 
 

capabilities.json

capabilities.json

 
 

doc.go

doc.go

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

matchers.go

matchers.go

 
 

matchers_test.go

matchers_test.go

 
 

mutation_test.go

mutation_test.go

 
 

parse.go

parse.go

 
 

parse_test.go

parse_test.go

 
 

rules.go

rules.go

 
 

rules_test.go

rules_test.go

 
 

schema.json

schema.json

 
 

tasks.go

tasks.go

 
 

tools.go

tools.go

 
 

Repository files navigation

Actions Dangerous Expressions Scanner

A simple tool to find dangerous uses of GitHub Actions Expressions.

Usage

Run the tool from the root of a GitHub repository:

ades .

and it will report all detected dangerous uses of GitHub Actions Expressions.

You can also use the containerized version of the CLI, for example using Docker:

docker run --rm --volume $PWD:/src docker.io/ericornelissen/ades .

Or you can use Go to build from source and run the CLI directly, for example using go run:

go run github.com/ericcornelissen/ades/cmd/ades@latest .

Features

  • Scans workflow files and action manifests.
  • Reports dangerous uses of expressions in run: directives, actions/github-script scripts, and known problematic action inputs.
  • (Experimental) Report dangerous uses of expressions in known vulnerable actions.
  • Provides suggested fixes and (Experimental) fully automated fixes.
  • Configurable sensitivity.
  • Machine & human readable output formats.

Rules

See RULES.md.

JSON output

The -json flag can be used to get the scan results in JSON format. This can be used by machines to parse the results to process them for other purposes. The schema is defined in schema.json. The schema is intended to be stable from one version to the next for longer periods of time.

Background

A GitHub Actions Expression is a string like:

${{ <expression> }}

that may appear in a GitHub Actions workflow or manifest and is filled in at runtime. If the value is controlled by a malicious actor it could be used to hijack the continuous integration pipeline of a repository. GitHub blogged about this problem in August of 2023.

Philosophy

This project aims to provide a tool aimed at helping developers avoid the problem of injection through expressions altogether. Instead of reporting on known problematic uses of expressions, ades reports on all potentially dangerous uses of expressions, nudging developers to use safe alternatives from the get-go.

The motivation behind this is twofold. First, it makes the tool much simpler and faster. Second, it acknowledges that software development is dynamic and making changes some time after a piece of code was introduced can be harder when compared to when the code is being written - thus reporting when a dangerous expression is introduces simplifies the mitigation process.

Related Work

ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

A research tool aimed at finding problematic expression in GitHub Action Workflows and Actions, similar to ades.

Performs taint analysis tracking known problematic expressions across workflows, steps, and jobs and into and out of JavaScript Actions. It only takes into account known problematic expressions that use github context values. Because of the taint analysis it will report fewer expressions than ades (fewer false positives), but it might also miss some problematic expressions (more false negatives).

It may find problematic expressions as a result of a (unknown) vulnerability in an Action, which ades won't report because it is considered out of scope (and arguably better left for dedicated tooling).

Lastly, a seemingly unrelated change in a workflow might change the result of the taint analysis and result in a new warning, thus requiring constant usage of ARGUS, which is relatively expensive.

Automatic Security Assessment of GitHub Actions Workflows

A research tool aimed at finding misconfigurations in GitHub Action Workflows (not Actions). It includes looking for problematic expression in run: scripts, which is also covered by ades.

When it reports on problematic expression in run: scripts it only considers known problematic expression that use github context values. Because it considers fewer expressions problematic it will report fewer expressions overall (fewer false positives), but it might also miss other problematic expressions in run: scripts and will completely miss others, for example in actions/github-script scripts, when compared to ades (more false positives).

CycodeLabs/raven

An open source tool developed by a commercial company. It aims to find misconfigurations in GitHub Actions Workflows (not Actions). Among other checks it looks for a couple known problematic uses of expressions involving the github context. As a result it will report fewer expressions overall (fewer false positives) but miss some compared to ades (more false positives).

BoostSecurity.io/poutine

An open source tool developed by a commercial company. It aims to find misconfigurations in CI/CD pipeline configurations including GitHub Actions Workflows. Among other checks it looks for a couple known problematic uses of expressions involving the github context. As a result it will report fewer expressions overall (fewer false positives) but miss some compared to ades (more false positives).

Other

There's other work being done in the scope of securing GitHub Actions Workflows and Actions that do not focus on expression but are still worth mentioning:

License

The software is available under the GPL-3.0-or-later license, see COPYING.txt for the full license text. The documentation is available under the GFDL-1.3-or-later license, see GNU Free Documentation License v1.3 for the full license text.

About

Find dangerous uses of GitHub Actions Workflow expressions.

ericcornelissen.github.io/ades/

Topics

security scanner gha

Resources

Readme

License

GPL-3.0 license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 7

Release v24.04 Latest
Apr 13, 2024
+ 6 releases

Contributors 3

  •  
  •  
  •  

Languages