/CIAnalyser

Analyser for the security of CI usage in OSS projects :books:

Primary LanguageGoMIT LicenseMIT

🤖 CIAnalyser

Build

CIAnalyser is a tool developed for our paper: Understanding Security Threats in Open Source Software CI/CD Scripts (published on TDSC). It is intended to crawl repositories with OSS CI configured and analyze the security properties.

For the latest release and the dataset, check here.

⚙️ Prerequisite

  • Docker
  • Golang
  • PostgreSQL

Prepare yourself a config.ini configuration according to config.ini.tmpl.

💡 Dockerized PostgreSQL

To run a dockerized PostgreSQL, check this.

Start a postgres container:

$ docker run \
  --name postgres -d \
  --restart unless-stopped \
  -e POSTGRES_USER=ZJU-SEC \
  -e POSTGRES_PASSWORD=<YOUR DB PASSWORD> \
  -e POSTGRES_DB=CIAnalyser \
  -p 5432:5432 postgres

🛠️ Build

$ go build CIAnalyser

🚀 Run

$ ./CIAnalyser <stage-code>

These are common stage code used in various situations:

crawl data:
  index-repo            crawl repos via GitHub API
  clone-repo            Git clone the crawled repos
  clone-script          Git clone the CI scripts
  crawl-verified        crawl the verified CI scripts
  
prepare for analysis: 
  extract-script        extract the CI scripts dependency
  categorize-script     categorize CI scripts to find 
  parse-using           get runtime environment of each CI script
  label-usage           count the reference type of the script usage
  label-lag             calculate reference lag of the script usage
  extract-credential    extract credential usage in repos
  
generate analysis report:
  analyze

📖 Citation

@article{pan2022ambush,
  title={Ambush from All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines},
  author={Pan, Ziyue and Shen, Wenbo and Wang, Xingkai and Yang, Yutian and Chang, Rui and Liu, Yao and Liu, Chengwei and Liu, Yang and Ren, Kui
  journal={IEEE Transactions on Dependable and Secure Computing},
  year={2023},
  publisher={IEEE}
}