Argus: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

Argus

This repo contains the code for our USENIX Security ’23 paper “ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions”. Argus is a comprehensive security analysis tool specifically designed for GitHub Actions. Built with an aim to enhance the security of CI/CD workflows, Argus utilizes taint-tracking techniques and an impact classifier to detect potential vulnerabilities in GitHub Action workflows.

Visit our website – secureci.org for more information.

Features

  • Taint-Tracking: Argus uses sophisticated algorithms to track the flow of potentially untrusted data from specific sources to security-critical sinks within GitHub Actions workflows. This enables the identification of vulnerabilities that could lead to code injection attacks.

  • Impact Classifier: Argus classifies identified vulnerabilities into High, Medium, and Low severity classes, providing a clearer understanding of the potential impact of each identified vulnerability. This is crucial in prioritizing mitigation efforts.

Use

This Python script provides a command line interface for interacting with GitHub repositories and GitHub actions.

python argus.py –mode [mode] –url [url] [–output-folder path_to_output] [–config path_to_config] [–verbose] [–branch branch_name] [–commit commit_hash] [–tag tag_name] [–action-path path_to_action] [–workflow-path path_to_workflow]

Parameters:

  • --mode: The mode of operation. Choose either ‘repo’ or ‘action’. This parameter is required.
  • --url: The GitHub URL. Use USERNAME:TOKEN@URL for private repos. This parameter is required.
  • --output-folder: The output folder. The default value is ‘/tmp’. This parameter is optional.
  • --config: The config file. This parameter is optional.
  • --verbose: Verbose mode. If this option is provided, the logging level is set to DEBUG. Otherwise, it is set to INFO. This parameter is optional.
  • --branch: The branch name. You must provide exactly one of: --branch--commit--tag. This parameter is optional.
  • --commit: The commit hash. You must provide exactly one of: --branch--commit--tag. This parameter is optional.
  • --tag: The tag. You must provide exactly one of: --branch--commit--tag. This parameter is optional.
  • --action-path: The (relative) path to the action. You cannot provide --action-path in repo mode. This parameter is optional.
  • --workflow-path: The (relative) path to the workflow. You cannot provide --workflow-path in action mode. This parameter is optional.

Install

Copyright (C) 2023 purs3lab