Argus: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions
Argus
This repo contains the code for our USENIX Security ’23 paper “ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions”. Argus is a comprehensive security analysis tool specifically designed for GitHub Actions. Built with an aim to enhance the security of CI/CD workflows, Argus utilizes taint-tracking techniques and an impact classifier to detect potential vulnerabilities in GitHub Action workflows.
Visit our website – secureci.org for more information.
Features
-
Taint-Tracking: Argus uses sophisticated algorithms to track the flow of potentially untrusted data from specific sources to security-critical sinks within GitHub Actions workflows. This enables the identification of vulnerabilities that could lead to code injection attacks.
-
Impact Classifier: Argus classifies identified vulnerabilities into High, Medium, and Low severity classes, providing a clearer understanding of the potential impact of each identified vulnerability. This is crucial in prioritizing mitigation efforts.
Use
This Python script provides a command line interface for interacting with GitHub repositories and GitHub actions.
Parameters:
--mode: The mode of operation. Choose either ‘repo’ or ‘action’. This parameter is required.--url: The GitHub URL. UseUSERNAME:TOKEN@URLfor private repos. This parameter is required.--output-folder: The output folder. The default value is ‘/tmp’. This parameter is optional.--config: The config file. This parameter is optional.--verbose: Verbose mode. If this option is provided, the logging level is set to DEBUG. Otherwise, it is set to INFO. This parameter is optional.--branch: The branch name. You must provide exactly one of:--branch,--commit,--tag. This parameter is optional.--commit: The commit hash. You must provide exactly one of:--branch,--commit,--tag. This parameter is optional.--tag: The tag. You must provide exactly one of:--branch,--commit,--tag. This parameter is optional.--action-path: The (relative) path to the action. You cannot provide--action-pathin repo mode. This parameter is optional.--workflow-path: The (relative) path to the workflow. You cannot provide--workflow-pathin action mode. This parameter is optional.
Install
Copyright (C) 2023 purs3lab
