Skip to content

ericcornelissen/ades

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

351 Commits
.github
.github
 
 
cmd/ades
cmd/ades
 
 
test
test
 
 
web
web
 
 
.editorconfig
.editorconfig
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
COPYING.txt
COPYING.txt
 
 
Containerfile
Containerfile
 
 
Containerfile.dev
Containerfile.dev
 
 
DCO.txt
DCO.txt
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
RULES.md
RULES.md
 
 
SECURITY.md
SECURITY.md
 
 
analyze.go
analyze.go
 
 
analyze_test.go
analyze_test.go
 
 
capabilities.json
capabilities.json
 
 
doc.go
doc.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
gremlins.min.js
gremlins.min.js
 
 
matchers.go
matchers.go
 
 
matchers_test.go
matchers_test.go
 
 
mutation_test.go
mutation_test.go
 
 
rules.go
rules.go
 
 
rules_test.go
rules_test.go
 
 
schema.json
schema.json
 
 
tasks.go
tasks.go
 
 
web_test.go
web_test.go
 
 

Repository files navigation

Actions Dangerous Expressions Scanner

A simple tool to find dangerous uses of GitHub Actions Expressions.

Expressions in GitHub Actions, e.g. ${{ <expression> }}, may appear in a GitHub Actions workflow or manifest and are filled in at runtime. If the value is controlled by an attacker it could be used to hijack the continuous integration pipeline of a repository. A more detailed description of the problem is given by GitHub in "Understanding the risk of script injections".

ades helps you find and resolve dangerous uses of GitHub Actions Expressions in workflows and manifests.

Overview

Getting Started

Installation

Binary

Download the binary for your platform manually from the latest release or using the CLI, for example using the gh CLI:

gh release download --repo ericcornelissen/ades --pattern ades_linux_amd64.tar.gz

Validate the provenance of the release you downloaded:

gh attestation verify --owner ericcornelissen ades_linux_amd64.tar.gz

Unpack the archive to get the binary out:

tar -xf ades_linux_amd64.tar.gz

Then add it to your PATH and run it:

ades -version

Or, without adding it to your PATH:

./ades -version

Docker / Podman

Install the ades container by pulling it:

docker pull docker.io/ericornelissen/ades:latest

Validate the provenance of the container using cosign:

cosign verify \
  --certificate-identity-regexp 'https://github.com/ericcornelissen/ades/.+' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  docker.io/ericornelissen/ades:latest

Then run it using:

docker run --rm --volume $PWD:/src docker.io/ericornelissen/ades -version

You can set up an alias for convenience:

alias ades='docker run --rm --volume $PWD:/src docker.io/ericornelissen/ades'

NOTE: To use Podman instead of Docker you can replace docker by podman.

Go

Fetch and run ades from source using the Go CLI:

go run github.com/ericcornelissen/ades/cmd/ades@latest -version

Usage

Run ades from the root of a GitHub repository and it will report all dangerous uses of GitHub Actions Expressions for the project:

ades

Alternatively, specify any number of projects to scan, and it well report for each:

ades project-a project-b

If you need more information, ask for help:

ades -help

Features

  • Scans workflow files and action manifests.
  • Reports dangerous uses of expressions in run: directives, actions/github-script scripts, and known problematic action inputs.
  • Report dangerous uses of expressions in known vulnerable actions.
  • Provides suggested fixes and (experimental) fully automated fixes.
  • Configurable sensitivity.
  • Machine & human readable output formats.

Rules

See RULES.md.

JSON output

The -json flag can be used to get the scan results in JSON format. This can be used by machines to parse the results to process them for other purposes. The schema is defined in schema.json and it is intended to be stable from one version to the next for longer periods of time.

Philosophy

This project aims to provide a tool aimed at helping developers avoid the problem of injection through expressions altogether. Instead of reporting on known problematic uses of expressions, ades reports on all potentially dangerous uses of expressions, nudging developers to use safe alternatives from the get-go.

The motivation behind this is twofold. First, it makes the tool much simpler and faster. Second, it acknowledges that software development is a dynamic process and that future changes can make an expression that is safe today unsafe. Moreover, fixing a workflow while creating it is easier now than it is later.

Related Work

ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

A research tool aimed at finding problematic expression in GitHub Action Workflows and Actions. It performs taint analysis to track known problematic expressions across workflows, steps, and jobs and into and out of JavaScript Actions. Because of the taint analysis it will report fewer expressions than ades (fewer false positives), but it might also miss some problematic expressions (more false negatives).

Automatic Security Assessment of GitHub Actions Workflows

A research tool aimed at finding misconfigurations in GitHub Action Workflows (not Actions). It includes looking for problematic expression in run: scripts. It only reports on the use of known problematic expression in run: scripts. Because it considers fewer expressions problematic it will report fewer expressions overall (fewer false positives), but it might also miss other problematic expressions in run: scripts and will completely miss others, for example expressions in actions/github-script scripts.

poutine

A tool that aims to find misconfigurations in CI/CD pipeline configurations including GitHub Actions Workflows. Among other checks it looks for a couple known problematic uses of expressions involving the github context. As a result it will report fewer expressions overall (fewer false positives) but also miss some (more false negatives).

Raven

A tool aimed at finding misconfigurations in GitHub Actions Workflows (not Actions). Among other checks it looks for a couple known problematic uses of expressions involving the github context. As a result it will report fewer expressions overall (fewer false positives) but miss some (more false negatives).

zizmor

A tool that aims to find security issues in GitHub Actions CI/CD setups. It reports various kinds of potential security problems including dangerous uses of expressions ("template injection"). Similar to ades, it will report on most uses of expressions but only in run: and actions/github-script scripts except for a small allowlist of known safe expressions. It does distinguish between expressions known to be attacker controlled and only potentially attacker controlled with different severities.

Others

There is other work being done in the scope of GitHub Actions security that does not focus on GitHub Actions Expression but is still worth mentioning:

Tooling

Research

License

The software is available under the GPL-3.0-or-later license, see COPYING.txt for the full license text. The documentation is available under the GFDL-1.3-or-later license, see GNU Free Documentation License v1.3 for the full license text.

About

Find dangerous uses of GitHub Actions Workflow expressions.

ericcornelissen.github.io/ades/

Topics

security scanner gha

Resources

Readme

License

GPL-3.0 license

Security policy

Security policy
Activity

Stars

4 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 13

Release v25.05 Latest
May 5, 2025
+ 12 releases

Contributors 3

  •  
  •  
  •  

Languages