GHAST (GitHub Actions Static Analysis Tool) is a tool to analyze the security posture of your GitHub Actions and its surrounding environment for common security vulnerabilities or missing security configuration.
License: MIT License
My name is Alex Rodriguez and I am an Offensive Security Engineer @Amazon.
For some reason when you have the verbose: true parameter set in the ASA workflow file you will not see any findings for inline scripts found.
The way to test this yourself is create a GitHub Action Workflow file with a run: action and if you set the verbose: true parameter you will not see the notification for that finding. If you then remove the verbose: true from the workflow file you will then be able to see the workflow finding.
Please see analyzer/analyzer.py
def _check_for_inline_script(self) -> bool:
passed = True
for job in self.jobs.keys():
steps = self.jobs[job]["steps"]
for step in steps:
if "run" in step:
if self.verbose:
print(
f"{Colors.LIGHT_GRAY}INFO{Colors.END} found inline script in job('{job}').step('{step['name']}')"
)
passed = False
return passed
First, let me say, I think this project is awesome and I want to help make it better if I can. :)
I'm creating this ticket as I wanted to have a discussion about how the ASA project identifies issues going forward. I thought about creating a PR and adding some code myself but wanted to have a conversation first.
I think the _check_for_inline_script function needs to be modified to do more than just check for the presence of 'run' in the action step. I understand that the GitHub Action hardening guide calls out inline scripts, but there needs to be a delineation between say a bash script is called from a remote location versus a run command that executes a binary in a specific action, like, say semgrep or npm. Right now, _check_for_inline_script will create a lot of false positives for many legitimate uses of the run action. Just take a look at the Semgrep Action: https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#sample-github-actions-configuration-file or the NPM Action: https://github.com/actions/setup-node. And there are thousands of others where the Action calls an executable inside the docker container that Action maps to.
tl;dr:
The use of 'run:' by itself should not be a finding, but if 'run:' calls a script or other insecure mechanism, then it should absolutely be a finding.
Let me know your thoughts.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.