{"id":31765108,"url":"https://github.com/h7ml/security-auto-scan","last_synced_at":"2025-10-10T00:13:17.101Z","repository":{"id":318437520,"uuid":"1071264599","full_name":"h7ml/security-auto-scan","owner":"h7ml","description":"🔐 自动扫描和清理 GitHub Actions 中的恶意 workflow 文件 | 日志加密 | API 智能重试 | 多格式报告 | Webhook 通知","archived":false,"fork":false,"pushed_at":"2025-10-07T07:04:21.000Z","size":34,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-07T08:23:45.808Z","etag":null,"topics":["automation","cicd","devops","github-actions","github-api","malware-detection","python","security","security-tools","supply-chain","vulnerability-scanner","workflow"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/security-auto-scan","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/h7ml.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security/reports/.gitkeep","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-07T05:34:45.000Z","updated_at":"2025-10-07T07:03:17.000Z","dependencies_parsed_at":"2025-10-07T08:23:49.837Z","dependency_job_id":"a5aad8b0-c1ba-4927-ad56-4f11ed70291b","html_url":"https://github.com/h7ml/security-auto-scan","commit_stats":null,"previous_names":["h7ml/security-auto-scan"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/h7ml/security-auto-scan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h7ml%2Fsecurity-auto-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h7ml%2Fsecurity-auto-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h7ml%2Fsecurity-auto-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h7ml%2Fsecurity-auto-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/h7ml","download_url":"https://codeload.github.com/h7ml/security-auto-scan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h7ml%2Fsecurity-auto-scan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279002382,"owners_count":26083356,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","cicd","devops","github-actions","github-api","malware-detection","python","security","security-tools","supply-chain","vulnerability-scanner","workflow"],"created_at":"2025-10-10T00:13:14.669Z","updated_at":"2025-10-10T00:13:17.092Z","avatar_url":"https://github.com/h7ml.png","language":"Python","readme":"# Security Auto Scan Action\n\n\u003cdiv align=\"center\"\u003e\n\n![Security](https://img.shields.io/badge/security-auto--scan-red?style=for-the-badge)\n![Python](https://img.shields.io/badge/python-3.11-blue?style=for-the-badge)\n[![License](https://img.shields.io/github/license/h7ml/security-auto-scan?style=for-the-badge)](LICENSE)\n[![GitHub release](https://img.shields.io/github/v/release/h7ml/security-auto-scan?style=for-the-badge)](https://github.com/h7ml/security-auto-scan/releases)\n[![GitHub Marketplace](https://img.shields.io/badge/Marketplace-Security%20Auto%20Scan-blue?style=for-the-badge\u0026logo=github)](https://github.com/marketplace/actions/security-auto-scan)\n\n[![GitHub stars](https://img.shields.io/github/stars/h7ml/security-auto-scan?style=social)](https://github.com/h7ml/security-auto-scan/stargazers)\n[![GitHub forks](https://img.shields.io/github/forks/h7ml/security-auto-scan?style=social)](https://github.com/h7ml/security-auto-scan/network/members)\n[![GitHub watchers](https://img.shields.io/github/watchers/h7ml/security-auto-scan?style=social)](https://github.com/h7ml/security-auto-scan/watchers)\n[![GitHub issues](https://img.shields.io/github/issues/h7ml/security-auto-scan)](https://github.com/h7ml/security-auto-scan/issues)\n[![GitHub pull requests](https://img.shields.io/github/issues-pr/h7ml/security-auto-scan)](https://github.com/h7ml/security-auto-scan/pulls)\n[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/h7ml/security-auto-scan/test.yml?branch=main\u0026label=tests)](https://github.com/h7ml/security-auto-scan/actions)\n\n**Automatically scan and clean malicious workflow files in GitHub Actions**\n\n[English](./README.md) | [简体中文](./README_zh-CN.md)\n\n\u003c/div\u003e\n\n## 📖 Introduction\n\nSecurity Auto Scan is a GitHub Action that automatically detects and removes malicious workflow files. Features:\n\n- 🔍 **Auto Scan** all your repositories (personal + organizations)\n- 🧹 **Auto Clean** detected malicious files\n- 🔐 **Log Masking** automatically hide sensitive information using GitHub Actions `::add-mask::`\n- 📊 **Generate Reports** detailed scan and cleanup reports\n- 🚨 **Create Issues** automatically create alerts when threats are found\n- 📢 **Webhook Notifications** support Slack/Discord/Teams/DingTalk/Feishu, etc.\n- 💾 **Cache Optimization** avoid duplicate cloning, improve performance by 50-80%\n- 🛡️ **Security First** won't delete important files, won't disable itself\n\n## 🎯 Use Cases\n\n### Supply Chain Attack Response\n\nIf your GitHub account is compromised, attackers might:\n\n1. Inject malicious workflow files\n2. Steal your GitHub Secrets\n3. Exfiltrate data through domains like `*.oast.fun`\n\n**This Action helps you clean all infected repositories with one click!**\n\n### Regular Security Scanning\n\nEven without an attack, regular scanning is recommended:\n\n- Auto scan daily (cron: '0 3 * * *')\n- Immediate alert on suspicious files\n- Protect your code and Secrets\n\n## 🚀 Quick Start\n\n### 1. Create Workflow File\n\nCreate `.github/workflows/security-scan.yml` in your repository:\n\n```yaml\nname: Security Scan\n\non:\n  # Auto scan daily at 3 AM\n  schedule:\n    - cron: '0 3 * * *'\n\n  # Manual trigger\n  workflow_dispatch:\n    inputs:\n      keyword:\n        description: 'Search keyword'\n        required: false\n        default: '.oast.fun'\n      dry_run:\n        description: 'Scan only (true/false)'\n        required: false\n        default: 'false'\n\njobs:\n  security-scan:\n    runs-on: ubuntu-latest\n\n    permissions:\n      contents: write\n      actions: write\n      issues: write\n\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Security Auto Scan\n        uses: h7ml/security-auto-scan@v1\n        with:\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n          keyword: ${{ github.event.inputs.keyword || '.oast.fun' }}\n          dry-run: ${{ github.event.inputs.dry_run || 'false' }}\n          create-issue: 'true'\n          mask-sensitive-data: 'true'\n```\n\n### 2. Configure Token\n\n**Option A: Use default GITHUB_TOKEN (Recommended)**\n\nThe default `GITHUB_TOKEN` can only access the current repository. To scan all repositories, use Option B.\n\n**Option B: Use Personal Access Token**\n\n1. Visit https://github.com/settings/tokens/new\n2. Create Token with permissions:\n   - ✅ `repo` - Full repository access\n   - ✅ `workflow` - Workflow permission\n3. Add Token to repository Secrets:\n   - Settings → Secrets → Actions → New repository secret\n   - Name: `SECURITY_SCAN_TOKEN`\n   - Value: Paste your Token\n\n4. Update workflow:\n   ```yaml\n   with:\n     github-token: ${{ secrets.SECURITY_SCAN_TOKEN }}\n   ```\n\n### 3. Run Scan\n\n**Auto Run**: Executes daily at 3 AM\n\n**Manual Run**:\n1. Go to Actions tab\n2. Select \"Security Scan\"\n3. Click \"Run workflow\"\n4. Configure parameters and run\n\n## 📋 Input Parameters\n\n| Parameter | Required | Default | Description |\n|-----------|----------|---------|-------------|\n| `github-token` | ✅ | - | GitHub Token (requires `repo` and `workflow` permissions) |\n| `keyword` | ❌ | `.oast.fun` | Search keyword (malicious signature) |\n| `dry-run` | ❌ | `false` | Scan-only mode (no cleanup) |\n| `create-issue` | ❌ | `true` | Create Issue when threats found |\n| `disable-workflows` | ❌ | `false` | Disable workflows in infected repositories |\n| `mask-sensitive-data` | ❌ | `true` | Log masking (auto-hide sensitive info) |\n| `notification-webhook` | ❌ | `` | Webhook URL (Slack/Teams/Discord support) |\n| `notification-template` | ❌ | `detailed` | Notification template (`compact` or `detailed`) |\n\n## 📤 Outputs\n\n| Output | Description |\n|--------|-------------|\n| `infected-repos` | Number of infected repositories |\n| `success-count` | Number of successful cleanups |\n| `failed-count` | Number of failed cleanups |\n| `report-path` | Scan report path |\n\n### Output Usage Example\n\n```yaml\n- name: Security Auto Scan\n  id: scan\n  uses: h7ml/security-auto-scan@v1\n  with:\n    github-token: ${{ secrets.GITHUB_TOKEN }}\n\n- name: Check results\n  run: |\n    echo \"Found ${{ steps.scan.outputs.infected-repos }} infected repositories\"\n    echo \"Cleaned successfully ${{ steps.scan.outputs.success-count }}\"\n    echo \"Failed to clean ${{ steps.scan.outputs.failed-count }}\"\n```\n\n## 📊 Features\n\n### ✅ Smart Scanning\n\n- Search all your repositories (personal + organizations)\n- Use GitHub Code Search API (fast, precise)\n- **Pagination support**: automatically fetch all matching results (up to 1000)\n- Exclude specific files (e.g., `security-auto-scan.yml`)\n- Won't disable current repository workflows\n\n### 🧹 Auto Cleanup\n\n- Clone infected repositories\n- Delete malicious workflow files\n- Commit and push cleanup\n- Record deletion history\n\n### 🔐 Security Features\n\n- **Log Masking**: use GitHub Actions `::add-mask::` to auto-hide sensitive info (Token, URL, etc.)\n- **Configuration Toggle**: support enable/disable masking\n- **Minimum Privilege**: only requires `repo` and `workflow` permissions\n- **Prevent Mis-deletion**: exclusion list, won't delete important files\n- **Skip Current Repo**: won't disable self\n\n### 📢 Notification Integration\n\n- **Webhook Support**: Slack/Discord/Teams/DingTalk/Feishu, etc.\n- **Notification Templates**: compact and detailed templates\n- **Auto Trigger**: auto send when threats found\n- **Flexible Config**: customizable notification content\n\n### 🔧 Error Handling\n\n- Detailed push failure analysis\n- Auto retry (pull before push on conflict)\n- Record failed repositories and reasons\n- Provide manual cleanup guide\n\n### 📈 Performance Optimization\n\n- Cache cloned repositories\n- Avoid duplicate cloning\n- Speed up by 50-80% on subsequent runs\n- Auto clean cache older than 7 days\n\n### 📝 Reports and Notifications\n\n- Generate detailed scan reports\n- Auto create alert Issues\n- Upload Artifacts (30-day retention)\n- Failed repository list and manual cleanup steps\n\n## 🛡️ Security\n\n### Token Security\n\n- **Minimum Privilege**: only requires `repo` and `workflow` permissions\n- **Temporary Token**: recommend 90-day expiration\n- **Revoke After Use**: immediately revoke Token after scan\n- **Log Masking**: auto-hide Token to prevent leakage\n\n### Data Privacy\n\n- **Local Processing**: all data processed in Actions Runner\n- **No Upload**: won't upload your code to third-party services\n- **Reports Only**: only commit scan reports, not logs\n\n### Prevent Mis-deletion\n\n- **Exclusion List**: won't delete `security-auto-scan.yml`\n- **Skip Current Repo**: won't disable self\n- **Scan-only Mode**: support scan before deciding to clean\n\n## 📖 Advanced Usage\n\nSee [EXAMPLES.md](./EXAMPLES.md) for more examples:\n\n- Basic example\n- Complete configuration\n- Scan-only mode\n- Multi-keyword scanning\n- Webhook notification integration\n- Log masking configuration\n- Matrix strategy scanning\n\n## 🏗️ Technical Architecture\n\n- **Language**: Python 3.11\n- **Core Library**: requests\n- **Runtime**: GitHub Actions (ubuntu-latest)\n- **Cache Mechanism**: `.alcache` directory for cloned repos\n- **Log Masking**: GitHub Actions `::add-mask::` workflow command\n\n## 🤝 Contributing\n\nContributions welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md)\n\n## 📄 License\n\n[MIT License](./LICENSE)\n\n## 🙏 Acknowledgements\n\n- Inspired by real GitHub Actions supply chain attack incidents\n- Thanks to all contributors and user feedback\n- Referenced industry security best practices\n\n## 📞 Support\n\n- 🐛 [Report Issues](https://github.com/h7ml/security-auto-scan/issues)\n- 💬 [Discussions](https://github.com/h7ml/security-auto-scan/discussions)\n- 📧 Email: h7ml@qq.com\n\n## 🔍 Related Resources\n\n- [GitHub Actions Security Best Practices](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)\n- [GitHub Code Scanning](https://docs.github.com/en/code-security/code-scanning)\n- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**If this Action helps you, please give it a ⭐️ Star!**\n\nMade with ❤️ by [h7ml](https://github.com/h7ml)\n\n\u003c/div\u003e\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh7ml%2Fsecurity-auto-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fh7ml%2Fsecurity-auto-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh7ml%2Fsecurity-auto-scan/lists"}