Octoscan

<div align="center"> :octocat: </div> <h1 align="center"> octoscan </h1> <p align="center"> Octoscan is a static vulnerability scanner for GitHub action workflows. </p> <div align="center"> <img src="img/dependabot.png"/> </div> <br />

Table of Contents

• Table of Contents
• Installation
• Usage
  • download remote workflows
  • analyze
  • GitHub action
• Rules
  • dangerous-checkout
  • dangerous-action
  • dangerous-write
  • expression-injection
  • runner-label
  • repo-jacking
  • unsecure-commands
  • bot-check
  • known-vulnerability
  • dangerous-artefact
  • credentials
  • shellcheck
  • local-action
  • oidc-action
• Credits
• Resources

Installation

$ go mod tidy
$ go build

Or with docker:

$ docker pull ghcr.io/synacktiv/octoscan:latest

Usage

download remote workflows

Octoscan can be run against a local git repository or you can download all the workflows with the dl action:

$ octoscan dl -h  
Octoscan.

Usage:
	octoscan dl [options] --org <org> [--repo <repo> --token <pat> --default-branch --max-branches <num> --path <path> --output-dir <dir> --include-archives]

Options:
	-h, --help  						Show help
	-d, --debug  						Debug output
	--verbose  						Verbose output
	--org <org>  						Organizations to target
	--repo <repo>  						Repository to target
	--token <pat>  						GHP to authenticate to GitHub
	--default-branch  					Only download workflows from the default branch
	--max-branches <num>  					Limit the number of branches to download
	--path <path>  						GitHub file path to download [default: .github/workflows]
	--output-dir <dir>  					Output dir where to download files [default: octoscan-output]
	--include-archives  					Also download archived repositories

./octoscan dl --token ghp_<token> --org apache --repo incubator-answer

analyze

If you don't know what to run just run this:

./octoscan scan path/to/repos/ --disable-rules shellcheck,local-action --filter-triggers external

It will reduce false positives and give the most interesting results.

If you have downloaded the workflows with the dl command you might have duplicated workflows since by default octoscan will download all the workflows of all the branches. To delete duplicated workflows and speed up the analysis you can use the fdupes command before running the analysis:

fdupes -n -r -N -d path/to/repo

$ octoscan scan -h
octoscan

Usage:
	octoscan scan [options] --list-rules
	octoscan scan [options] <target>
	octoscan scan [options] <target> [--debug-rules --filter-triggers=<triggers> --filter-run --ignore=<pattern> ((--disable-rules | --enable-rules ) <rules>) --config-file <config>]

Options:
	-h, --help
	-v, --version
	-d, --debug
	--verbose
	--format <format>  				Output format, json, sarif or custom template to format error messages in Go template syntax. See https://github.com/rhysd/actionlint/tree/main/docs/usage.md#format
	--oneline 					Use one line per one error. Useful for reading error messages from programs

Args:
	<target>					Target File or directory to scan
	--filter-triggers <triggers>			Scan workflows with specific triggers (comma separated list: "push,pull_request_target" or pre-configured: external/allnopr)
	--filter-run					Search for expression injection only in run shell scripts.
	--ignore <pattern>				Regular expression matching to error messages you want to ignore.
	--disable-rules <rules>				Disable specific rules. Split on ","
	--enable-rules <rules>				Enable specific rules, this will disable all other rules. Split on ","
	--debug-rules					Enable debug rules.
	--config-file <config>				Config file.

Examples:
	$ octoscan scan ci.yml --disable-rules shellcheck,local-action --filter-triggers external

GitHub action

This tool can also be used directly as a GitHub action to scan your repository on push/pull_request events. For more information please check this repository.

<div align="center"> <img src="https://github.com/synacktiv/action-octoscan/blob/main/img/action-octoscan.png"/> </div>

Rules

The complete list of rules can be found with this command:

$ octoscan scan --list-rules  
2024/08/07 16:50:48 [INFO] Available rules
- shellcheck
	Checks for shell script sources in "run:" using shellcheck
- credentials
	Checks for credentials in "services:" configuration
- dangerous-action
	Check for dangerous actions.
- dangerous-checkout
	Check for dangerous checkout.
- expression-injection
	Check for expression injection.
- dangerous-write
	Check for dangerous write operation on $GITHUB_OUTPUT or $GITHUB_ENV.
- local-action
	Check for local actions.
- runner-label
	Checks for GitHub-hosted and preset self-hosted runner labels in "runs-on:"
- unsecure-commands
	Check 'ACTIONS_ALLOW_UNSECURE_COMMANDS' env variable.
- known-vulnerability
	Check for known vulnerabilities.
- bot-check
	Check for if statements that are based on a bot identity.
- dangerous-artefact
	Check for workflow that upload artefacts containing sensitive files.
- debug-external-trigger
	Check for workflow that can be externally triggered.
- debug-artefacts
	Check for workflow that upload artefacts.
- debug-js-exec
	Check for workflow that execute system commands in JS scripts.
- debug-oidc-action
	Check for OIDC actions.
- repo-jacking
	Verify that external actions are pointing to a valid GitHub user or organization.

dangerous-checkout

Triggers like workflow_run or pull_request_target run in a privileged context, as they have read access to secrets and potentially have write access on the targeted repository. Performing an explicit checkout on the untrusted code will result in the attacker code being downloaded in such context.

examples

• FreeRDP
• Excalidraw
• AutoGPT
• Cypress
• Apache Doris
• Angular

dangerous-action

This rules warn the user if a dangerous action is used. It's mainly focused on untrusted artifacts.

It is common practice to use artifacts to pass data between different workflows. We often encounter this with the workflow_run trigger where the triggering workflow will prepare some data that will then be sent to the triggered workflow. Given the untrusted nature of this artifact data, it is crucial to treat it with caution and recognize it as a potential threat. The vulnerability arises from the fact that external entities, such as malicious actors, can influence the content of the artifact data.

examples

• ant-design
• Swagger-editor
• Firebase
• Firebase
• Rust

dangerous-write

GitHub will create default environment variables that can be used inside every step in a workflow. The GITHUB_ENV and GITHUB_OUTPUT variables are particularly interesting. It is possible to define environment variable in a step and to use this variable in another one. This can be done by writing it to the associated variable variable. If a user can control the content of the variable that is being set it can lead to arbitrary code execution.

examples

• Swagger-editor
• dgraph-io/badger
• Firebase
• microsoft/vscode-github-triage-actions

expression-injection

Each workflow trigger comes with an associated GitHub context, offering comprehensive information about the event that initiated it. This includes details about the user who triggered the event, the branch name, and other relevant contextual information. Certain components of this event data, such as the base repository name, or pull request number, cannot be manipulated or exploited for injection by the user who initiated the event (e.g., in the case of a pull request). This ensures a level of control and security over the information provided by the GitHub context during workflow execution.

However, some elements can be controlled by an attacker and should be sanitized before being used. Here is the list of such elements:

• github.event.issue.title
• github.event.issue.body
• github.event.pull_request.title
• github.event.pull_request.body
• `github.event.comment.b