{"id":15404573,"url":"https://github.com/k1low/oshka","last_synced_at":"2025-10-18T20:43:26.682Z","repository":{"id":44541509,"uuid":"397073656","full_name":"k1LoW/oshka","owner":"k1LoW","description":"oshka is a tool for extracting nested CI/CD supply chains and executing commands.","archived":false,"fork":false,"pushed_at":"2024-01-31T22:48:24.000Z","size":349,"stargazers_count":3,"open_issues_count":2,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-29T05:41:37.575Z","etag":null,"topics":["github-actions","security","supply-chain"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/k1LoW.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"k1LoW","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2021-08-17T03:06:28.000Z","updated_at":"2022-09-30T08:22:48.000Z","dependencies_parsed_at":"2024-06-19T19:01:11.038Z","dependency_job_id":"791381f8-85e6-48e9-a356-589e17251c98","html_url":"https://github.com/k1LoW/oshka","commit_stats":{"total_commits":56,"total_committers":1,"mean_commits":56.0,"dds":0.0,"last_synced_commit":"ff354f3e530117d6f3f9dff10445610b4975fe3a"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Foshka","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Foshka/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Foshka/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k1LoW%2Foshka/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/k1LoW","download_url":"https://codeload.github.com/k1LoW/oshka/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249279134,"owners_count":21242853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","security","supply-chain"],"created_at":"2024-10-01T16:13:45.148Z","updated_at":"2025-10-18T20:43:26.597Z","avatar_url":"https://github.com/k1LoW.png","language":"Go","funding_links":["https://github.com/sponsors/k1LoW"],"categories":[],"sub_categories":[],"readme":"# oshka\n\n`oshka`【oʊʃkə】is a tool for extracting nested CI/CD supply chains and executing commands.\n\n## Concept\n\nSecurity checks should be performed not only on the source code of the repository but also on the code of the third-party actions of GitHub Actions and Docker images that compose the CI/CD.\n\nThe primary purpose of `oshka` is for the continuous security check of the nested CI/CD supply chains ( So the default execution `--command` is `trivy fs --exit-code 1 .` ).\n\nBecause most tools can be run on the filesystem, oshka has a strategy of deploying the supply chains in temporary directories.\n\n### Behavior\n\n1. Analyze the nested supply chains that compose the CI/CD\n    - Detect repositories of third-party actions.\n    - Detect docker images.\n2. Extract the resources of supply chains to local temporary directory.\n2. Execute any commands to the extracted resources.\n\n## Usage\n\n### Scan local filesystem and supply chains for vulnerabilities using Trivy\n\n( The default execution `--command` is `trivy fs --exit-code 1 .` )\n\n``` console\n$ oshka run fs .\n```\n\n\u003cdetails\u003e\n\n\u003csummary\u003eResult\u003c/summary\u003e\n\n``` console\n$ oshka run fs .\n2021-08-31T20:40:24+09:00 [INFO] Create temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/\n2021-08-31T20:40:24+09:00 [INFO] Extract local . to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2\n2021-08-31T20:40:25+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2\n2021-08-31T20:40:25.362+0900    INFO    Using your github token\n2021-08-31T20:40:25.540+0900    INFO    Number of language-specific files: 5\n2021-08-31T20:40:25.540+0900    INFO    Detecting gobinary vulnerabilities...\n2021-08-31T20:40:25.542+0900    INFO    Detecting gomod vulnerabilities...\n\ndist/goreleaserdocker077582362/oshka (gobinary)\n===============================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n| github.com/containerd/containerd | CVE-2021-32760   | MEDIUM   | v1.5.3            | v1.4.8, v1.5.4 | containerd: pulling and               |\n|                                  |                  |          |                   |                | extracting crafted container          |\n|                                  |                  |          |                   |                | image may result in Unix file...      |\n|                                  |                  |          |                   |                | --\u003eavd.aquasec.com/nvd/cve-2021-32760 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n\ndist/oshka-darwin-windows_darwin_amd64/oshka (gobinary)\n=======================================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n| github.com/containerd/containerd | CVE-2021-32760   | MEDIUM   | v1.5.3            | v1.4.8, v1.5.4 | containerd: pulling and               |\n|                                  |                  |          |                   |                | extracting crafted container          |\n|                                  |                  |          |                   |                | image may result in Unix file...      |\n|                                  |                  |          |                   |                | --\u003eavd.aquasec.com/nvd/cve-2021-32760 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n\ndist/oshka-darwin-windows_windows_amd64/oshka.exe (gobinary)\n============================================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n| github.com/containerd/containerd | CVE-2021-32760   | MEDIUM   | v1.5.3            | v1.4.8, v1.5.4 | containerd: pulling and               |\n|                                  |                  |          |                   |                | extracting crafted container          |\n|                                  |                  |          |                   |                | image may result in Unix file...      |\n|                                  |                  |          |                   |                | --\u003eavd.aquasec.com/nvd/cve-2021-32760 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n\ndist/oshka-linux_linux_amd64/oshka (gobinary)\n=============================================\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)\n\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n| github.com/containerd/containerd | CVE-2021-32760   | MEDIUM   | v1.5.3            | v1.4.8, v1.5.4 | containerd: pulling and               |\n|                                  |                  |          |                   |                | extracting crafted container          |\n|                                  |                  |          |                   |                | image may result in Unix file...      |\n|                                  |                  |          |                   |                | --\u003eavd.aquasec.com/nvd/cve-2021-32760 |\n+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+\n\ngo.sum (gomod)\n==============\nTotal: 18 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 8, CRITICAL: 0)\n\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n|              LIBRARY               | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION         |             FIXED VERSION             |                  TITLE                  |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/apache/thrift           | CVE-2019-0205    | HIGH     | 0.12.0                            | 0.13.0                                | thrift: Endless loop when               |\n|                                    |                  |          |                                   |                                       | feed with specific input data           |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2019-0205    |\n+                                    +------------------+          +                                   +                                       +-----------------------------------------+\n|                                    | CVE-2019-0210    |          |                                   |                                       | thrift: Out-of-bounds read              |\n|                                    |                  |          |                                   |                                       | related to TJSONProtocol                |\n|                                    |                  |          |                                   |                                       | or TSimpleJSONProtocol                  |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2019-0210    |\n+                                    +------------------+          +                                   +---------------------------------------+-----------------------------------------+\n|                                    | CVE-2020-13949   |          |                                   | v0.14.0                               | libthrift: potential DoS when           |\n|                                    |                  |          |                                   |                                       | processing untrusted payloads           |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-13949   |\n+------------------------------------+------------------+          +-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/buger/jsonparser        | CVE-2020-10675   |          | 0.0.0-20180808090653-f4dd9f5a6b44 | v0.0.0-20200321185410-91ac96899e49    | golang-github-buger-jsonparser:         |\n|                                    |                  |          |                                   |                                       | infinite loop via a Delete call         |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-10675   |\n+                                    +------------------+          +                                   +---------------------------------------+-----------------------------------------+\n|                                    | CVE-2020-35381   |          |                                   | v1.1.1                                | jsonparser: GET call can lead to        |\n|                                    |                  |          |                                   |                                       | a slice bounds out of range...          |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-35381   |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/containerd/containerd   | CVE-2021-32760   | MEDIUM   | 1.5.3                             | v1.4.8, v1.5.4                        | containerd: pulling and                 |\n|                                    |                  |          |                                   |                                       | extracting crafted container            |\n|                                    |                  |          |                                   |                                       | image may result in Unix file...        |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2021-32760   |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/dgrijalva/jwt-go        | CVE-2020-26160   | HIGH     | 3.2.0+incompatible                |                                       | jwt-go: access restriction              |\n|                                    |                  |          |                                   |                                       | bypass vulnerability                    |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-26160   |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/gorilla/handlers        | GO-2020-0020     | UNKNOWN  | 0.0.0-20150720190736-60c7bfde3e33 | v1.3.0                                |                                         |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/miekg/dns               | CVE-2019-19794   | MEDIUM   | 1.0.14                            | v1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable    |\n|                                    |                  |          |                                   |                                       | TXID can lead to response forgeries     |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2019-19794   |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/sassoftware/go-rpmutils | CVE-2020-7667    | HIGH     | 0.0.0-20190420191620-a8f1baeba37b | v0.1.0                                | In package                              |\n|                                    |                  |          |                                   |                                       | github.com/sassoftware/go-rpmutils/cpio |\n|                                    |                  |          |                                   |                                       | before version 0.1.0, the               |\n|                                    |                  |          |                                   |                                       | CPIO extraction functionality           |\n|                                    |                  |          |                                   |                                       | doesn't sanitize...                     |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-7667    |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/satori/go.uuid          | GO-2020-0018     | UNKNOWN  | 1.2.0                             | v1.2.1-0.20181016170032-d91630c85102  |                                         |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| github.com/ulikunitz/xz            | CVE-2021-29482   | HIGH     | 0.5.7                             | v0.5.8                                | ulikunitz/xz: Infinite                  |\n|                                    |                  |          |                                   |                                       | loop in readUvarint allows              |\n|                                    |                  |          |                                   |                                       | for denial of service                   |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2021-29482   |\n+                                    +------------------+----------+                                   +                                       +-----------------------------------------+\n|                                    | GO-2020-0016     | UNKNOWN  |                                   |                                       |                                         |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n| k8s.io/kubernetes                  | CVE-2019-1002101 | MEDIUM   | 1.13.0                            | 1.11.9, 1.12.7, 1.13.5,               | kubernetes: Mishandling of              |\n|                                    |                  |          |                                   | 1.14.1-beta.0                         | symlinks allows for arbitrary           |\n|                                    |                  |          |                                   |                                       | file write via `kubectl cp`...          |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2019-1002101 |\n+                                    +------------------+          +                                   +---------------------------------------+-----------------------------------------+\n|                                    | CVE-2019-11250   |          |                                   | v1.16.0-beta.1                        | kubernetes: Bearer tokens               |\n|                                    |                  |          |                                   |                                       | written to logs at high                 |\n|                                    |                  |          |                                   |                                       | verbosity levels (\u003e= 7)...              |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2019-11250   |\n+                                    +------------------+          +                                   +---------------------------------------+-----------------------------------------+\n|                                    | CVE-2020-8554    |          |                                   |                                       | kubernetes: MITM using                  |\n|                                    |                  |          |                                   |                                       | LoadBalancer or ExternalIPs             |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-8554    |\n+                                    +------------------+          +                                   +---------------------------------------+-----------------------------------------+\n|                                    | CVE-2020-8564    |          |                                   | v1.20.0-alpha.1                       | kubernetes: Docker config               |\n|                                    |                  |          |                                   |                                       | secrets leaked when file is             |\n|                                    |                  |          |                                   |                                       | malformed and loglevel \u003e=...            |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-8564    |\n+                                    +------------------+          +                                   +---------------------------------------+-----------------------------------------+\n|                                    | CVE-2020-8565    |          |                                   | v1.20.0-alpha.2                       | kubernetes: Incomplete fix              |\n|                                    |                  |          |                                   |                                       | for CVE-2019-11250 allows for           |\n|                                    |                  |          |                                   |                                       | token leak in logs when...              |\n|                                    |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-8565    |\n+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+\n2021-08-31T20:40:25+09:00 [INFO] Detect action actions/setup-go@v2 from /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2\n2021-08-31T20:40:25+09:00 [INFO] Detect action actions/checkout@v2 from /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2\n2021-08-31T20:40:25+09:00 [INFO] Detect action golangci/golangci-lint-action@v2 from /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2\n2021-08-31T20:40:25+09:00 [INFO] Extract action actions/setup-go@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/setup-go@v2\nEnumerating objects: 1035, done.\nCounting objects: 100% (31/31), done.\nCompressing objects: 100% (29/29), done.\nTotal 1035 (delta 12), reused 8 (delta 0), pack-reused 1004\n2021-08-31T20:40:26+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/setup-go@v2\n2021-08-31T20:40:26.931+0900    INFO    Using your github token\n2021-08-31T20:40:26.988+0900    INFO    Number of language-specific files: 1\n2021-08-31T20:40:26.988+0900    INFO    Detecting npm vulnerabilities...\n\npackage-lock.json (npm)\n=======================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n2021-08-31T20:40:26+09:00 [INFO] Extract action actions/checkout@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/checkout@v2\nEnumerating objects: 997, done.\nCounting objects: 100% (28/28), done.\nCompressing objects: 100% (21/21), done.\nTotal 997 (delta 11), reused 11 (delta 6), pack-reused 969\n2021-08-31T20:40:29+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/checkout@v2\n2021-08-31T20:40:29.201+0900    INFO    Using your github token\n2021-08-31T20:40:29.261+0900    INFO    Number of language-specific files: 1\n2021-08-31T20:40:29.261+0900    INFO    Detecting npm vulnerabilities...\n\npackage-lock.json (npm)\n=======================\nTotal: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)\n\n+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+\n|    LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |    FIXED VERSION    |                 TITLE                 |\n+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+\n| @actions/core | CVE-2020-15228   | MEDIUM   | 1.1.3             | 1.2.6               | Environment Variable                  |\n|               |                  |          |                   |                     | Injection in GitHub Actions           |\n|               |                  |          |                   |                     | --\u003eavd.aquasec.com/nvd/cve-2020-15228 |\n+---------------+------------------+          +-------------------+---------------------+---------------------------------------+\n| node-fetch    | CVE-2020-15168   |          | 2.6.0             | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after        |\n|               |                  |          |                   |                     | fetch() JS thread leads to DoS        |\n|               |                  |          |                   |                     | --\u003eavd.aquasec.com/nvd/cve-2020-15168 |\n+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+\n| underscore    | CVE-2021-23358   | HIGH     | 1.8.3             | 1.12.1              | nodejs-underscore: Arbitrary code     |\n|               |                  |          |                   |                     | execution via the template function   |\n|               |                  |          |                   |                     | --\u003eavd.aquasec.com/nvd/cve-2021-23358 |\n+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+\n2021-08-31T20:40:29+09:00 [INFO] Extract action golangci/golangci-lint-action@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/golangci/golangci-lint-action@v2\nEnumerating objects: 1342, done.\nCounting objects: 100% (431/431), done.\nCompressing objects: 100% (241/241), done.\nTotal 1342 (delta 329), reused 268 (delta 188), pack-reused 911\n2021-08-31T20:40:31+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/golangci/golangci-lint-action@v2\n2021-08-31T20:40:31.226+0900    INFO    Using your github token\n2021-08-31T20:40:31.281+0900    INFO    Number of language-specific files: 2\n2021-08-31T20:40:31.281+0900    INFO    Detecting npm vulnerabilities...\n2021-08-31T20:40:31.282+0900    INFO    Detecting gomod vulnerabilities...\n\npackage-lock.json (npm)\n=======================\nTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)\n\n\nsample-go-mod/go.sum (gomod)\n============================\nTotal: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)\n\n+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+\n|           LIBRARY           | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION         |             FIXED VERSION             |                 TITLE                 |\n+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+\n| github.com/dgrijalva/jwt-go | CVE-2020-26160   | HIGH     | 3.2.0+incompatible                |                                       | jwt-go: access restriction            |\n|                             |                  |          |                                   |                                       | bypass vulnerability                  |\n|                             |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-26160 |\n+-----------------------------+------------------+          +-----------------------------------+---------------------------------------+---------------------------------------+\n| github.com/gogo/protobuf    | CVE-2021-3121    |          | 1.2.1                             | v1.3.2                                | gogo/protobuf:                        |\n|                             |                  |          |                                   |                                       | plugin/unmarshal/unmarshal.go         |\n|                             |                  |          |                                   |                                       | lacks certain index validation        |\n|                             |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2021-3121  |\n+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+\n| github.com/miekg/dns        | CVE-2019-19794   | MEDIUM   | 1.0.14                            | v1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable  |\n|                             |                  |          |                                   |                                       | TXID can lead to response forgeries   |\n|                             |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2019-19794 |\n+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+\n| golang.org/x/crypto         | CVE-2020-29652   | HIGH     | 0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f    | golang: crypto/ssh: crafted           |\n|                             |                  |          |                                   |                                       | authentication request can            |\n|                             |                  |          |                                   |                                       | lead to nil pointer dereference       |\n|                             |                  |          |                                   |                                       | --\u003eavd.aquasec.com/nvd/cve-2020-29652 |\n+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+\n2021-08-31T20:40:31+09:00 [INFO] Cleanup temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/\n\nRun results\n===========\n+----------------------------------+--------+--------------------------+-----------+-------+------------------------------------------------------------------+\n|               NAME               |  TYPE  |         COMMAND          | EXIT CODE | DEPTH |                               HASH                               |\n+----------------------------------+--------+--------------------------+-----------+-------+------------------------------------------------------------------+\n| .                                | local  | trivy fs --exit-code 1 . | 1         | 0     | 264b356a52a13e300b4635cf54b490e970e2ec0816678bbd81be62f5ad1f147d |\n|                                  |        |                          |           |       | (dir hash)                                                       |\n| actions/setup-go@v2              | action | trivy fs --exit-code 1 . | 0         | 1     | 331ce1d993939866bb63c32c6cbbfd48fa76fc57 (commit hash)           |\n| actions/checkout@v2              | action | trivy fs --exit-code 1 . | 1         | 1     | 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f (commit hash)           |\n| golangci/golangci-lint-action@v2 | action | trivy fs --exit-code 1 . | 1         | 1     | 5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 (commit hash)           |\n+----------------------------------+--------+--------------------------+-----------+-------+------------------------------------------------------------------+\n$\n```\n\n\u003c/details\u003e\n\n### Scan remote Git repository and supply chains for vulnerabilities using Trivy\n\n``` console\n$ oshka run repo github.com/rails/rails\n```\n\n\u003cdetails\u003e\n\n\u003csummary\u003eResult\u003c/summary\u003e\n\n``` console\n$ oshka run repo github.com/cli/cli\n2021-08-31T00:46:39+09:00 [INFO] Create temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/\n2021-08-31T00:46:39+09:00 [INFO] Extract repo github.com/cli/cli to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/github.com/cli/cli\nEnumerating objects: 26086, done.\nCounting objects: 100% (743/743), done.\nCompressing objects: 100% (579/579), done.\nTotal 26086 (delta 256), reused 412 (delta 160), pack-reused 25343\n2021-08-31T00:46:46+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/github.com/cli/cli\n2021-08-31T00:46:47.049+0900    INFO    Using your github token\n2021-08-31T00:46:47.130+0900    INFO    Number of language-specific files: 1\n2021-08-31T00:46:47.130+0900    INFO    Detecting gomod vulnerabilities...\n\n[...]\n\n2021-08-31T00:48:05+09:00 [INFO] Cleanup temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/\n\nRun results\n===========\n+-------------------------+--------+--------------------------+-----------+-------+------------------------------------------+\n|          NAME           |  TYPE  |         COMMAND          | EXIT CODE | DEPTH |                   HASH                   |\n+-------------------------+--------+--------------------------+-----------+-------+------------------------------------------+\n| github.com/rails/rails  | repo   | trivy fs --exit-code 1 . | 1         | 0     | c236ff686c6fa987924b8eefeec93c2abcc07843 |\n|                         |        |                          |           |       | (commit hash)                            |\n| actions/checkout@v2     | action | trivy fs --exit-code 1 . | 1         | 1     | 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f |\n|                         |        |                          |           |       | (commit hash)                            |\n| actions/setup-python@v2 | action | trivy fs --exit-code 1 . | 0         | 1     | dc73133d4da04e56a135ae2246682783cc7c7cb6 |\n|                         |        |                          |           |       | (commit hash)                            |\n| ruby/setup-ruby@v1      | action | trivy fs --exit-code 1 . | 1         | 1     | dbac26120bf2cab885aa98ecb4d22838ae969776 |\n|                         |        |                          |           |       | (commit hash)                            |\n| actions/cache@v1        | action | trivy fs --exit-code 1 . | 1         | 1     | 70655ec8323daeeaa7ef06d7c56e1b9191396cbe |\n|                         |        |                          |           |       | (commit hash)                            |\n+-------------------------+--------+--------------------------+-----------+-------+------------------------------------------+\n$\n```\n\n\u003c/details\u003e\n\n### Scan action of GitHub Actions and supply chains for vulnerabilities using Trivy\n\n``` console\n$ oshka run action actions/cache@v2\n```\n\n\u003cdetails\u003e\n\n\u003csummary\u003eResult\u003c/summary\u003e\n\n``` console\n$ oshka run action actions/cache@v2\n2021-08-18T02:17:18+09:00 [INFO] Create temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/\n2021-08-18T02:17:18+09:00 [INFO] Extract action actions/cache@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/cache@v2\n\n[...]\n\nRun results\n===========\n+-----------------------------------+--------+--------------------------+-----------+-------+-------------------------------------------------------------------------+\n|               NAME                |  TYPE  |         COMMAND          | EXIT CODE | DEPTH |                                  HASH                                   |\n+-----------------------------------+--------+--------------------------+-----------+-------+-------------------------------------------------------------------------+\n| actions/cache@v2                  | action | trivy fs --exit-code 1 . | 0         | 0, 1  | c64c572235d810460d0d6876e9c705ad5002b353                                |\n|                                   |        |                          |           |       | (commit hash)                                                           |\n| actions/checkout@v2               | action | trivy fs --exit-code 1 . | 1         | 1     | 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f                                |\n|                                   |        |                          |           |       | (commit hash)                                                           |\n| github/codeql-action/init@v1      | action | trivy fs --exit-code 1 . | 1         | 1     | 33f3438c1d59883f5e769fdf2b6adb6794d91d0f                                |\n|                                   |        |                          |           |       | (commit hash)                                                           |\n| github/codeql-action/autobuild@v1 | action | trivy fs --exit-code 1 . | 1         | 1     | 33f3438c1d59883f5e769fdf2b6adb6794d91d0f                                |\n|                                   |        |                          |           |       | (commit hash)                                                           |\n| github/codeql-action/analyze@v1   | action | trivy fs --exit-code 1 . | 1         | 1     | 33f3438c1d59883f5e769fdf2b6adb6794d91d0f                                |\n|                                   |        |                          |           |       | (commit hash)                                                           |\n| actions/setup-node@v1             | action | trivy fs --exit-code 1 . | 1         | 1     | f1f314fca9dfce2769ece7d933488f076716723e                                |\n|                                   |        |                          |           |       | (commit hash)                                                           |\n| ubuntu:latest                     | image  | trivy fs --exit-code 1 . | 1         | 1     | sha256:10cbddb6cf8568f56584ccb6c866203e68ab8e621bb87038e254f6f27f955bbe |\n|                                   |        |                          |           |       | (digest)                                                                |\n| datadog/squid:latest              | image  | trivy fs --exit-code 1 . | 1         | 1     | sha256:f7d19d5e3f4163771291d91de393ce667f2327a3e080c39b9b7ea9e19f91488f |\n|                                   |        |                          |           |       | (digest)                                                                |\n+-----------------------------------+--------+--------------------------+-----------+-------+-------------------------------------------------------------------------+\n$\n```\n\n\u003c/details\u003e\n\n### Scan more deep supply chains\n\n``` console\n$ oshka run fs . --depth 3\n```\n\n## Supported supply chains\n\n- GitHub Actions\n    - Workflow file (ex. `.github/workflows/*.yml` )\n    - Action file (ex. `action.yml` )\n        - When using Dockerfile, require `docker` for building image.\n- Docker image\n\n## Install\n\n**deb:**\n\nUse [dpkg-i-from-url](https://github.com/k1LoW/dpkg-i-from-url)\n\n``` console\n$ export OSHKA_VERSION=X.X.X\n$ curl -L https://git.io/dpkg-i-from-url | bash -s -- https://github.com/k1LoW/oshka/releases/download/v$OSHKA_VERSION/oshka_$OSHKA_VERSION-1_amd64.deb\n```\n\n**RPM:**\n\n``` console\n$ export OSHKA_VERSION=X.X.X\n$ yum install https://github.com/k1LoW/oshka/releases/download/v$OSHKA_VERSION/oshka_$OSHKA_VERSION-1_amd64.rpm\n```\n\n**apk:**\n\nUse [apk-add-from-url](https://github.com/k1LoW/apk-add-from-url)\n\n``` console\n$ export OSHKA_VERSION=X.X.X\n$ curl -L https://git.io/apk-add-from-url | sh -s -- https://github.com/k1LoW/oshka/releases/download/v$OSHKA_VERSION/oshka_$OSHKA_VERSION-1_amd64.apk\n```\n\n**homebrew tap:**\n\n```console\n$ brew install k1LoW/tap/oshka\n```\n\n**manually:**\n\nDownload binary from [releases page](https://github.com/k1LoW/oshka/releases)\n\n**go get:**\n\n```console\n$ go get github.com/k1LoW/oshka\n```\n\n**docker:**\n\n```console\n$ docker pull ghcr.io/k1low/oshka:latest\n```\n\n## References\n\n- [aquasecurity/trivy](https://github.com/aquasecurity/trivy): Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues\n- [Security hardening for GitHub Actions](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions): \"Using third-party actions\"\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk1low%2Foshka","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk1low%2Foshka","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk1low%2Foshka/lists"}