A simple tool to find dangerous uses of GitHub Actions Expressions.
Run the tool from the root of a GitHub repository:
ades .
and it will report all detected dangerous uses of GitHub Actions Expressions.
You can also use the containerized version of the CLI, for example using Docker:
docker run --rm --volume $PWD:/src docker.io/ericornelissen/ades .
Or you can use Go to build from source and run the CLI directly, for example using go run
:
go run github.com/ericcornelissen/ades/cmd/ades@latest .
- Scans workflow files and action manifests.
- Reports dangerous uses of expressions in
run:
directives,actions/github-script
scripts, and known problematic action inputs. - (Experimental) Report dangerous uses of expressions in known vulnerable actions.
- Provides suggested fixes and (Experimental) fully automated fixes.
- Configurable sensitivity.
- Machine & human readable output formats.
See RULES.md.
The -json
flag can be used to get the scan results in JSON format. This can be used by machines to
parse the results to process them for other purposes. The schema is defined in schema.json
. The
schema is intended to be stable from one version to the next for longer periods of time.
A GitHub Actions Expression is a string like:
${{ <expression> }}
that may appear in a GitHub Actions workflow or manifest and is filled in at runtime. If the value is controlled by a malicious actor it could be used to hijack the continuous integration pipeline of a repository. GitHub blogged about this problem in August of 2023.
This project aims to provide a tool aimed at helping developers avoid the problem of injection
through expressions altogether. Instead of reporting on known problematic uses of expressions,
ades
reports on all potentially dangerous uses of expressions, nudging developers to use safe
alternatives from the get-go.
The motivation behind this is twofold. First, it makes the tool much simpler and faster. Second, it acknowledges that software development is dynamic and making changes some time after a piece of code was introduced can be harder when compared to when the code is being written - thus reporting when a dangerous expression is introduces simplifies the mitigation process.
A research tool aimed at finding problematic expression in GitHub Action Workflows and Actions,
similar to ades
.
Performs taint analysis tracking known problematic expressions across workflows, steps, and jobs and
into and out of JavaScript Actions. It only takes into account known problematic expressions that
use github
context values. Because of the taint analysis it will report fewer expressions than
ades
(fewer false positives), but it might also miss some problematic expressions (more false
negatives).
It may find problematic expressions as a result of a (unknown) vulnerability in an Action, which
ades
won't report because it is considered out of scope (and arguably better left for dedicated
tooling).
Lastly, a seemingly unrelated change in a workflow might change the result of the taint analysis and result in a new warning, thus requiring constant usage of ARGUS, which is relatively expensive.
A research tool aimed at finding misconfigurations in GitHub Action Workflows (not Actions). It
includes looking for problematic expression in run:
scripts, which is also covered by ades
.
When it reports on problematic expression in run:
scripts it only considers known problematic
expression that use github
context values. Because it considers fewer expressions problematic it
will report fewer expressions overall (fewer false positives), but it might also miss other
problematic expressions in run:
scripts and will completely miss others, for example in
actions/github-script
scripts, when compared to ades
(more false positives).
An open source tool developed by a commercial company. It aims to find misconfigurations in GitHub
Actions Workflows (not Actions). Among other checks it looks for a couple known problematic uses of
expressions involving the github
context. As a result it will report fewer expressions overall
(fewer false positives) but miss some compared to ades
(more false positives).
An open source tool developed by a commercial company. It aims to find misconfigurations in CI/CD
pipeline configurations including GitHub Actions Workflows. Among other checks it looks for a couple
known problematic uses of expressions involving the github
context. As a result it will report
fewer expressions overall (fewer false positives) but miss some compared to ades
(more
false positives).
There's other work being done in the scope of securing GitHub Actions Workflows and Actions that do not focus on expression but are still worth mentioning:
aeisenberg/codeql-actions-queries
(CodeQL queries for GitHub Actions)- A Preliminary Study of GitHub Actions Dependencies
- Characterizing the Security of Github CI Workflows
- On the outdatedness of workflows in the GitHub Actions ecosystem
- StepSecurity
The software is available under the GPL-3.0-or-later
license, see COPYING.txt for the full
license text. The documentation is available under the GFDL-1.3-or-later
license, see GNU Free
Documentation License v1.3 for the full license text.