Skip to content

Find dangerous uses of GitHub Actions Workflow expressions.

License

Notifications You must be signed in to change notification settings

ericcornelissen/ades

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Actions Dangerous Expressions Scanner

A simple tool to find dangerous uses of GitHub Actions Expressions.

Usage

Run the tool from the root of a GitHub repository:

ades .

and it will report all detected dangerous uses of GitHub Actions Expressions.

You can also use the containerized version of the CLI, for example using Docker:

docker run --rm --volume $PWD:/src docker.io/ericornelissen/ades .

Or you can use Go to build from source and run the CLI directly, for example using go run:

go run github.com/ericcornelissen/ades/cmd/ades@latest .

Features

  • Scans workflow files and action manifests.
  • Reports dangerous uses of expressions in run: directives, actions/github-script scripts, and known problematic action inputs.
  • (Experimental) Report dangerous uses of expressions in known vulnerable actions.
  • Provides suggested fixes and (Experimental) fully automated fixes.
  • Configurable sensitivity.
  • Machine & human readable output formats.

Rules

See RULES.md.

JSON output

The -json flag can be used to get the scan results in JSON format. This can be used by machines to parse the results to process them for other purposes. The schema is defined in schema.json. The schema is intended to be stable from one version to the next for longer periods of time.

Background

A GitHub Actions Expression is a string like:

${{ <expression> }}

that may appear in a GitHub Actions workflow or manifest and is filled in at runtime. If the value is controlled by a malicious actor it could be used to hijack the continuous integration pipeline of a repository. GitHub blogged about this problem in August of 2023.

Philosophy

This project aims to provide a tool aimed at helping developers avoid the problem of injection through expressions altogether. Instead of reporting on known problematic uses of expressions, ades reports on all potentially dangerous uses of expressions, nudging developers to use safe alternatives from the get-go.

The motivation behind this is twofold. First, it makes the tool much simpler and faster. Second, it acknowledges that software development is dynamic and making changes some time after a piece of code was introduced can be harder when compared to when the code is being written - thus reporting when a dangerous expression is introduces simplifies the mitigation process.

Related Work

A research tool aimed at finding problematic expression in GitHub Action Workflows and Actions, similar to ades.

Performs taint analysis tracking known problematic expressions across workflows, steps, and jobs and into and out of JavaScript Actions. It only takes into account known problematic expressions that use github context values. Because of the taint analysis it will report fewer expressions than ades (fewer false positives), but it might also miss some problematic expressions (more false negatives).

It may find problematic expressions as a result of a (unknown) vulnerability in an Action, which ades won't report because it is considered out of scope (and arguably better left for dedicated tooling).

Lastly, a seemingly unrelated change in a workflow might change the result of the taint analysis and result in a new warning, thus requiring constant usage of ARGUS, which is relatively expensive.

A research tool aimed at finding misconfigurations in GitHub Action Workflows (not Actions). It includes looking for problematic expression in run: scripts, which is also covered by ades.

When it reports on problematic expression in run: scripts it only considers known problematic expression that use github context values. Because it considers fewer expressions problematic it will report fewer expressions overall (fewer false positives), but it might also miss other problematic expressions in run: scripts and will completely miss others, for example in actions/github-script scripts, when compared to ades (more false positives).

An open source tool developed by a commercial company. It aims to find misconfigurations in CI/CD pipeline configurations including GitHub Actions Workflows. Among other checks it looks for a couple known problematic uses of expressions involving the github context. As a result it will report fewer expressions overall (fewer false positives) but miss some compared to ades (more false positives).

An open source tool developed by a commercial company. It aims to find misconfigurations in GitHub Actions Workflows (not Actions). Among other checks it looks for a couple known problematic uses of expressions involving the github context. As a result it will report fewer expressions overall (fewer false positives) but miss some compared to ades (more false positives).

An open source tool that aims to find security issues in GitHub Actions CI/CD setups. It reports various kinds of potential security problems including dangerous uses of expressions ("template injection"). Similar to ades, it will report on most uses of expressions but only in run: and actions/github-script scripts expect for a small allowlist of known safe expressions. It does distinguish between expressions known to be attacker controlled and only potentially attacker controlled with different "severities".

Others

There's other work being done in the scope of GitHub Actions security that do not focus on expression but are still worth mentioning:

License

The software is available under the GPL-3.0-or-later license, see COPYING.txt for the full license text. The documentation is available under the GFDL-1.3-or-later license, see GNU Free Documentation License v1.3 for the full license text.