# asa
asa (actions-security-analzyer) is a tool to analyze the security posture of your GitHub Actions.
### Installation
> Make sure you have `$HOME/.local/bin` in your PATH
```
pip install actions-security-analzyer
```
### Usage
```
asa --file action.yml
asa -d directory-with-actions/ --verbose
asa --file action.yml --ignore-warnings
asa --list-checks
```
### Use `asa` in Your GitHub Workflows
#### Example
```yaml
name: 'RunActionsSecurityAnalzyer'
on:
push:
branches:
- main
- dev
paths:
- '.github/workflows/**'
jobs:
RunAsa:
runs-on: ubuntu-latest
steps:
- name: "Checkout repo"
uses: actions/checkout@96f53100ba2a5449eb71d2e6604bbcd94b9449b5 # v3.5.3
- name: "Run asa scanner"
uses: "bin3xish477/asa@ee733379e314d44f1a960a70339ee5e5d19e404d"
with:
dir: "./actions/"
verbose: true
no-summary: true
ignore-checks: 'check_for_inline_script check_for_cache_action_usage'
```
### Checks Performed by `asa`
1. Name: `check_for_3p_actions_without_hash`, Level: `FAIL`
- This check identifies any third-party GitHub Actions in use that have been referenced via a version number such as `v1.1` instead of commit SHA haah. Using a hash can help mitigate supply chain threats in a scenario where a threat actor has compromised the source repository where the 3P action lives.
2. Name: `check_for_allow_unsecure_commands`, Level: `FAIL`
- This check looks for the usage of environment variable called `ACTIONS_ALLOW_UNSECURE_COMMANDS` which allows for an Action to get access to dangerous commands (`get-env`, `add-path`) which can lead to code injection and credential thefts opportunities.
3. Name: `check_for_cache_action_usage`, Level: `WARN`
- This check finds any usage of GitHub's caching Action (`actions/cache`) which may result in sensitive information disclosure or cache poisoning.
4. Name: `check_for_dangerous_write_permissions`, Level: `FAIL`
- This check looks for write permissions granted to potentially dangerous scopes such as the `contents` scope which may allow an adversary write code into the target repository if they're able to compromise the workflow. It's also looks for usage of the `write-all` which gives the action complete write access to all scopes.
5. Name: `check_for_inline_script`, Level: `WARN`
- This check simply warns that you're using an inline script instead of GitHub Action. Inline scripts are susceptible to script injection attacks (another check covered by `asa`). It is recommended to write an action and pass any required context values as inputs to that action which removes script injection vector because action input are properly treated as arguments and are not evaluated as part of a script.
6. Name: `check_for_pull_request_target`, Level: `FAIL`
- This check looks for the usage of the dangerous event trigger `pull_request_target` which allows workflow executions to run in the context of the repository that defines the workflow, not the repository that the pull request originated from, potentially allowing a threat actor to gain access to a repositories sensitive secrets!
7. Name: `check_for_script_injection`, Level: `FAIL`
- This check looks for the most commonly known security risk to GitHub Action - script injection. Script injection occurs when an action directly includes (using the `${{ ... }}` syntax) a GitHub Context variable(s) in an inline script that can be controlled by an untrusted actor, resulting in command execution in the interpreted shell. These user-controllable parameters should be passed into an inline script as environment variables.
8. Name: `check_for_self_hosted_runners`, Level: `WARN`
- This checks attempts to identify the usage of self-hosted runners. Self-hosted runners are dangerous because if the Action is compromised it may allow a threat actor to gain access to on premise environment or establish persistence mechanisms on a server you own/rent.
9. Name: `check_for_aws_configure_credentials_non_oidc`, Level: `WARN`
- This checks looks for the usage of AWS's `aws-actions/configure-aws-credentials` action and attempts to identify non-OIDC authentication parameters. Non-OIDC authentication types are less secure than OIDC because they require the creation of long-term credentials which can be compromised, however, OIDC tokens are short-lived and are usually scoped to only the permissions that are essential to a workflow and thus help reduce the attack surface.
10. Name: `check_for_pull_request_create_or_approve`, Level: `WARN`
- This check looks for Action that have logic related to creating or improving pull requests. Creating or approving pull requests via automation poses a security risk if sufficient controls aren't in place to protect against malicious code being merged into a repository.
11. Name: `check_for_remote_script`, Level: `WARN`
- This check looks for a URL in an inline script of a GitHub Action which usually signals the inclusion of a remote script which can be dangerous.
### References
- [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
Raw data
{
"_id": null,
"home_page": null,
"name": "actions-security-analyzer",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": null,
"keywords": null,
"author": null,
"author_email": "Alexis Rodriguez <arodriguez99@protonmail.com>",
"download_url": "https://files.pythonhosted.org/packages/f9/04/a9b15c862b435f186df3f619a6c69905af55be25ad25e2928fca78786b64/actions_security_analyzer-1.4.5.tar.gz",
"platform": null,
"description": "# asa\nasa (actions-security-analzyer) is a tool to analyze the security posture of your GitHub Actions.\n\n\n\n### Installation\n\n> Make sure you have `$HOME/.local/bin` in your PATH\n\n```\npip install actions-security-analzyer\n```\n\n### Usage\n\n```\nasa --file action.yml\nasa -d directory-with-actions/ --verbose\nasa --file action.yml --ignore-warnings\nasa --list-checks\n```\n\n### Use `asa` in Your GitHub Workflows\n\n#### Example\n\n```yaml\nname: 'RunActionsSecurityAnalzyer'\non:\n push:\n branches:\n - main\n - dev\n paths:\n - '.github/workflows/**'\njobs:\n RunAsa:\n runs-on: ubuntu-latest\n steps:\n - name: \"Checkout repo\"\n uses: actions/checkout@96f53100ba2a5449eb71d2e6604bbcd94b9449b5 # v3.5.3\n - name: \"Run asa scanner\"\n uses: \"bin3xish477/asa@ee733379e314d44f1a960a70339ee5e5d19e404d\"\n with:\n dir: \"./actions/\"\n verbose: true\n no-summary: true\n ignore-checks: 'check_for_inline_script check_for_cache_action_usage'\n```\n\n### Checks Performed by `asa`\n\n1. Name: `check_for_3p_actions_without_hash`, Level: `FAIL`\n\n - This check identifies any third-party GitHub Actions in use that have been referenced via a version number such as `v1.1` instead of commit SHA haah. Using a hash can help mitigate supply chain threats in a scenario where a threat actor has compromised the source repository where the 3P action lives.\n\n2. Name: `check_for_allow_unsecure_commands`, Level: `FAIL`\n\n - This check looks for the usage of environment variable called `ACTIONS_ALLOW_UNSECURE_COMMANDS` which allows for an Action to get access to dangerous commands (`get-env`, `add-path`) which can lead to code injection and credential thefts opportunities.\n\n3. Name: `check_for_cache_action_usage`, Level: `WARN`\n\n - This check finds any usage of GitHub's caching Action (`actions/cache`) which may result in sensitive information disclosure or cache poisoning.\n\n4. Name: `check_for_dangerous_write_permissions`, Level: `FAIL`\n\n - This check looks for write permissions granted to potentially dangerous scopes such as the `contents` scope which may allow an adversary write code into the target repository if they're able to compromise the workflow. It's also looks for usage of the `write-all` which gives the action complete write access to all scopes.\n\n5. Name: `check_for_inline_script`, Level: `WARN`\n\n - This check simply warns that you're using an inline script instead of GitHub Action. Inline scripts are susceptible to script injection attacks (another check covered by `asa`). It is recommended to write an action and pass any required context values as inputs to that action which removes script injection vector because action input are properly treated as arguments and are not evaluated as part of a script.\n\n6. Name: `check_for_pull_request_target`, Level: `FAIL`\n\n - This check looks for the usage of the dangerous event trigger `pull_request_target` which allows workflow executions to run in the context of the repository that defines the workflow, not the repository that the pull request originated from, potentially allowing a threat actor to gain access to a repositories sensitive secrets!\n\n7. Name: `check_for_script_injection`, Level: `FAIL`\n\n - This check looks for the most commonly known security risk to GitHub Action - script injection. Script injection occurs when an action directly includes (using the `${{ ... }}` syntax) a GitHub Context variable(s) in an inline script that can be controlled by an untrusted actor, resulting in command execution in the interpreted shell. These user-controllable parameters should be passed into an inline script as environment variables.\n\n8. Name: `check_for_self_hosted_runners`, Level: `WARN` \n\n - This checks attempts to identify the usage of self-hosted runners. Self-hosted runners are dangerous because if the Action is compromised it may allow a threat actor to gain access to on premise environment or establish persistence mechanisms on a server you own/rent.\n\n9. Name: `check_for_aws_configure_credentials_non_oidc`, Level: `WARN`\n\n - This checks looks for the usage of AWS's `aws-actions/configure-aws-credentials` action and attempts to identify non-OIDC authentication parameters. Non-OIDC authentication types are less secure than OIDC because they require the creation of long-term credentials which can be compromised, however, OIDC tokens are short-lived and are usually scoped to only the permissions that are essential to a workflow and thus help reduce the attack surface.\n\n10. Name: `check_for_pull_request_create_or_approve`, Level: `WARN`\n\n - This check looks for Action that have logic related to creating or improving pull requests. Creating or approving pull requests via automation poses a security risk if sufficient controls aren't in place to protect against malicious code being merged into a repository.\n\n11. Name: `check_for_remote_script`, Level: `WARN`\n\n - This check looks for a URL in an inline script of a GitHub Action which usually signals the inclusion of a remote script which can be dangerous.\n### References\n\n- [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)\n",
"bugtrack_url": null,
"license": null,
"summary": "Analyze the security posture of one or more GitHub Actions",
"version": "1.4.5",
"project_urls": {
"Documentation": "https://github.com/bin3xish477/asa#readme",
"Issues": "https://github.com/bin3xish477/asa/issues",
"Source": "https://github.com/bin3xish477/asa"
},
"split_keywords": [],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "a14be21bbc8ae1007be001bf5da10faa9f88984bbbb447b8610ad27e8d790c83",
"md5": "bc7d4e8a8347c3ed746590431ee0587e",
"sha256": "d9ef7e70c6f9d3109c3506cbad9490d388e1f035fff69f42d2b3ebe2412c58ca"
},
"downloads": -1,
"filename": "actions_security_analyzer-1.4.5-py3-none-any.whl",
"has_sig": false,
"md5_digest": "bc7d4e8a8347c3ed746590431ee0587e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 10660,
"upload_time": "2023-08-03T20:40:19",
"upload_time_iso_8601": "2023-08-03T20:40:19.781978Z",
"url": "https://files.pythonhosted.org/packages/a1/4b/e21bbc8ae1007be001bf5da10faa9f88984bbbb447b8610ad27e8d790c83/actions_security_analyzer-1.4.5-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "f904a9b15c862b435f186df3f619a6c69905af55be25ad25e2928fca78786b64",
"md5": "6a19f7f449a75c25d284dfcd17da8048",
"sha256": "635b6fe7840e2ad500d342b69842eff8f3172fc8dbb004e276ae4cdeaf8615ce"
},
"downloads": -1,
"filename": "actions_security_analyzer-1.4.5.tar.gz",
"has_sig": false,
"md5_digest": "6a19f7f449a75c25d284dfcd17da8048",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 2372015,
"upload_time": "2023-08-03T20:40:21",
"upload_time_iso_8601": "2023-08-03T20:40:21.768903Z",
"url": "https://files.pythonhosted.org/packages/f9/04/a9b15c862b435f186df3f619a6c69905af55be25ad25e2928fca78786b64/actions_security_analyzer-1.4.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-08-03 20:40:21",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "bin3xish477",
"github_project": "asa#readme",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "iniconfig",
"specs": [
[
"==",
"2.0.0"
]
]
},
{
"name": "packaging",
"specs": [
[
"==",
"23.1"
]
]
},
{
"name": "pluggy",
"specs": [
[
"==",
"1.2.0"
]
]
},
{
"name": "pytest",
"specs": [
[
"==",
"7.4.0"
]
]
},
{
"name": "PyYAML",
"specs": [
[
"==",
"6.0"
]
]
}
],
"lcname": "actions-security-analyzer"
}
JSON
