Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ericcornelissen/ades

Find dangerous uses of GitHub Actions Workflow expressions.
https://github.com/ericcornelissen/ades

gha scanner security

Last synced: about 4 hours ago
JSON representation

Find dangerous uses of GitHub Actions Workflow expressions.

Awesome Lists containing this project

README 

        



# Actions Dangerous Expressions Scanner



A simple tool to find dangerous uses of [GitHub Actions Expression]s.



## Usage



Run the tool from the root of a GitHub repository:



```shell

ades .

```



and it will report all detected dangerous uses of GitHub Actions Expressions.



You can also use the containerized version of the CLI, for example using Docker:



```shell

docker run --rm --volume $PWD:/src docker.io/ericornelissen/ades .

```



Or you can use Go to build from source and run the CLI directly, for example using `go run`:



```shell

go run github.com/ericcornelissen/ades/cmd/ades@latest .

```



### Features



- Scans workflow files and action manifests.

- Reports dangerous uses of expressions in [`run:`] directives, [`actions/github-script`] scripts,

  and known problematic action inputs.

- _(Experimental)_ Report dangerous uses of expressions in known vulnerable actions.

- Provides suggested fixes and _(Experimental)_ fully automated fixes.

- Configurable sensitivity.

- Machine & human readable output formats.



### Rules



See [RULES.md].



### JSON output



The `-json` flag can be used to get the scan results in JSON format. This can be used by machines to

parse the results to process them for other purposes. The schema is defined in [`schema.json`]. The

schema is intended to be stable from one version to the next for longer periods of time.



## Background



A [GitHub Actions Expression] is a string like:



```text

${{  }}

```



that may appear in a GitHub Actions workflow or manifest and is filled in at runtime. If the value

is controlled by a malicious actor it could be used to hijack the continuous integration pipeline of

a repository. GitHub [blogged about this problem] in August of 2023.



## Philosophy



This project aims to provide a tool aimed at helping developers avoid the problem of injection

through expressions altogether. Instead of reporting on known problematic uses of expressions,

`ades` reports on all potentially dangerous uses of expressions, nudging developers to use safe

alternatives from the get-go.



The motivation behind this is twofold. First, it makes the tool much simpler and faster. Second, it

acknowledges that software development is dynamic and making changes some time after a piece of code

was introduced can be harder when compared to when the code is being written - thus reporting when a

dangerous expression is introduces simplifies the mitigation process.



## Related Work



### [ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions]



A research tool aimed at finding problematic expression in GitHub Action Workflows and Actions,

similar to `ades`.



Performs taint analysis tracking known problematic expressions across workflows, steps, and jobs and

into and out of JavaScript Actions. It only takes into account known problematic expressions that

use `github` context values. Because of the taint analysis it will report fewer expressions than

`ades` (fewer _false positives_), but it might also miss some problematic expressions (more _false

negatives_).



It may find problematic expressions as a result of a (unknown) vulnerability in an Action, which

`ades` won't report because it is considered out of scope (and arguably better left for dedicated

tooling).



Lastly, a seemingly unrelated change in a workflow might change the result of the taint analysis and

result in a new warning, thus requiring constant usage of ARGUS, which is relatively expensive.



### [Automatic Security Assessment of GitHub Actions Workflows]



A research tool aimed at finding misconfigurations in GitHub Action Workflows (not Actions). It

includes looking for problematic expression in `run:` scripts, which is also covered by `ades`.



When it reports on problematic expression in `run:` scripts it only considers known problematic

expression that use `github` context values. Because it considers fewer expressions problematic it

will report fewer expressions overall (fewer _false positives_), but it might also miss other

problematic expressions in `run:` scripts and will completely miss others, for example in

`actions/github-script` scripts, when compared to `ades` (more _false positives_).



### [`poutine`]



An open source tool developed by a commercial company. It aims to find misconfigurations in CI/CD

pipeline configurations including GitHub Actions Workflows. Among other checks it looks for a couple

known problematic uses of expressions involving the `github` context. As a result it will report

fewer expressions overall (fewer _false positives_) but miss some compared to `ades` (more

_false positives_).



### [Raven]



An open source tool developed by a commercial company. It aims to find misconfigurations in GitHub

Actions Workflows (not Actions). Among other checks it looks for a couple known problematic uses of

expressions involving the `github` context. As a result it will report fewer expressions overall

(fewer _false positives_) but miss some compared to `ades` (more _false positives_).



### [`zizmor`]



An open source tool that aims to find security issues in GitHub Actions CI/CD setups. It reports

various kinds of potential security problems including dangerous uses of expressions ("template

injection"). Similar to `ades`, it will report on most uses of expressions but only in `run:` and

`actions/github-script` scripts expect for a small allowlist of known safe expressions. It does

distinguish between expressions known to be attacker controlled and only potentially attacker

controlled with different "severities".



### Others



There's other work being done in the scope of GitHub Actions security that do not focus on

expression but are still worth mentioning:



- [`actionlint`]

- [`aeisenberg/codeql-actions-queries`]  (CodeQL queries for GitHub Actions)

- [Ambush From All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines]

- [A Preliminary Study of GitHub Actions Dependencies]

- [Catching Smells in the Act: A GitHub Actions Workflow Investigation]

- [Characterizing the Security of Github CI Workflows]

- [Continuous Intrusion: Characterizing the Security of Continuous Integration Services]

- [GitHub Actions Attack Diagram]

- [Mitigating Security Issues in GitHub Actions]

- [On the outdatedness of workflows in the GitHub Actions ecosystem]

- [Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows]

- [StepSecurity]



## License



The software is available under the `GPL-3.0-or-later` license, see [COPYING.txt] for the full

license text. The documentation is available under the `GFDL-1.3-or-later` license, see [GNU Free

Documentation License v1.3] for the full license text.



[`actionlint`]: https://github.com/rhysd/actionlint

[`actions/github-script`]: https://github.com/actions/github-script

[`aeisenberg/codeql-actions-queries`]: https://github.com/aeisenberg/codeql-actions-queries

[`poutine`]: https://github.com/boostsecurityio/poutine

[`run:`]: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

[`schema.json`]: ./schema.json

[`zizmor`]: https://github.com/woodruffw/zizmor

[ambush from all sides: understanding security threats in open-source software ci/cd pipelines]: https://ieeexplore.ieee.org/abstract/document/10061526

[a preliminary study of github actions dependencies]: https://ceur-ws.org/Vol-3483/paper7.pdf

[argus: a framework for staged static taint analysis of github workflows and actions]: https://www.usenix.org/conference/usenixsecurity23/presentation/muralee

[automatic security assessment of github actions workflows]: https://dl.acm.org/doi/abs/10.1145/3560835.3564554

[blogged about this problem]: https://github.blog/2023-08-09-four-tips-to-keep-your-github-actions-workflows-secure/#1-dont-use-syntax-in-the-run-section-to-avoid-unexpected-substitution-behavior

[catching smells in the act: a github actions workflow investigation]: https://azaidman.github.io/publications/khatamiSCAM2024b.pdf

[characterizing the security of github ci workflows]: https://www.usenix.org/conference/usenixsecurity22/presentation/koishybayev

[continuous intrusion: characterizing the security of continuous integration services]: https://ieeexplore.ieee.org/abstract/document/10179471

[copying.txt]: ./COPYING.txt

[raven]: https://github.com/CycodeLabs/raven

[github actions attack diagram]: https://github.com/jstawinski/GitHub-Actions-Attack-Diagram

[github actions expression]: https://docs.github.com/en/actions/learn-github-actions/expressions

[gnu free documentation license v1.3]: https://www.gnu.org/licenses/fdl-1.3.en.html

[mitigating security issues in gitHub actions]: https://dl.acm.org/doi/abs/10.1145/3643662.3643961

[on the outdatedness of workflows in the github actions ecosystem]: https://www.sciencedirect.com/science/article/pii/S0164121223002224

[quantifying security issues in reusable javascript actions in github workflows]: https://dl.acm.org/doi/abs/10.1145/3643991.3644899

[rules.md]: ./RULES.md

[stepsecurity]: https://www.stepsecurity.io/