{"id":31539752,"url":"https://github.com/aquasecurity/tracee-action","last_synced_at":"2026-03-09T15:02:04.543Z","repository":{"id":65158935,"uuid":"366879318","full_name":"aquasecurity/tracee-action","owner":"aquasecurity","description":"Protect GitHub Actions with Tracee","archived":false,"fork":false,"pushed_at":"2025-02-08T18:43:58.000Z","size":73,"stargazers_count":81,"open_issues_count":3,"forks_count":9,"subscribers_count":5,"default_branch":"start","last_synced_at":"2026-02-10T21:58:39.488Z","etag":null,"topics":["ebpf","github-actions","runtime-scanner","security"],"latest_commit_sha":null,"homepage":"https://github.com/aquasecurity/tracee","language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-05-12T23:28:29.000Z","updated_at":"2025-12-21T04:51:55.000Z","dependencies_parsed_at":"2025-10-08T22:00:52.341Z","dependency_job_id":null,"html_url":"https://github.com/aquasecurity/tracee-action","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/aquasecurity/tracee-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftracee-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftracee-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftracee-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftracee-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/tracee-action/tar.gz/refs/heads/start","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Ftracee-action/sbom","scorecard":{"id":204689,"data":{"date":"2025-08-11","repo":{"name":"github.com/aquasecurity/tracee-action","commit":"d434f9d7ee051ec17779d5e8b1cbd7259e52788d"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.3,"checks":[{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":2,"reason":"Found 4/14 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'start'","Warn: branch protection not enabled for branch 'stop'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T23:27:53.820Z","repository_id":65158935,"created_at":"2025-08-16T23:27:53.820Z","updated_at":"2025-08-16T23:27:53.820Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30299857,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T14:33:48.460Z","status":"ssl_error","status_checked_at":"2026-03-09T14:33:48.027Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","github-actions","runtime-scanner","security"],"created_at":"2025-10-04T09:13:49.252Z","updated_at":"2026-03-09T15:02:04.486Z","avatar_url":"https://github.com/aquasecurity.png","language":"Open Policy Agent","funding_links":[],"categories":[],"sub_categories":[],"readme":"**This project is for demonstration purpose only. It is not under active development. Use at your own risk**\nWatch a detailed introduction to the project: https://youtu.be/nNqrPNEqtw0\n\n# Protect your GitHub Actions with Tracee\n\n[Tracee](https://github.com/aquasecurity/tracee) is a powerful open source runtime security and forensics solution. It is using eBPF to trace your system, produce rich events that gives you visibility into what is happening under the hood, and also detects suspicious behavior in those event.\n\nThis project is using Tracee to protect GitHub Actions workflow against supply chain attacks.\n\n## Protection\n\ntracee-action offers two kinds of protection that complements each other: Events, and Profile.\n\n### Signatures\n\nTracee runs in the background and hunts for suspicious behavior in the runner and in the workflow. It uses the powerful set of behavioral signatures that is available for Tracee, and you can add your own specific signatures to detect unwanted behavior.\nSignatures detections are reported to you as a comment on the PR that triggered the action for your review.\nYou can review the list of events in the default policy [here](policies/signatures.yaml.tmpl)\n\n### Profile\n\nWhile the profile is running Tracee builds a profile that describes how your workflow normally behaves. Once you approve this initial profile as the baseline, tracee-action will detect and report any deviation from it.\nProfile deviations are reported to you as a new PR that add commits the changes to a `.tracee` directory in the project.\nYou can review the contents of the default profile [here](docs/profile.md)\n\n## Getting Started\n\nAdd tracee-action to the beginning of your workflow with the tag ending with `-start`, and to the end of your workflow with the tag ending with `-stop`.\nExample:\n\n```yaml\nname: My pipeline\njobs:\n  my-job:\n    runs-on: ubuntu-latest\n    steps:\n    - name: Start Tracee\n      uses: aquasecurity/tracee-action@v0.3.0-start\n\n    ...\n\n    - name: Stop Tracee\n      uses: aquasecurity/tracee-action@v0.3.0-stop\n```\n\nThere are some configuration options the are detailed [here](docs/config.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Ftracee-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Ftracee-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Ftracee-action/lists"}