Information Security News

Argus: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

by ·

Argus

This repo contains the code for our USENIX Security ’23 paper “ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions”. Argus is a comprehensive security analysis tool specifically designed for GitHub Actions. Built with an aim to enhance the security of CI/CD workflows, Argus utilizes taint-tracking techniques and an impact classifier to detect potential vulnerabilities in GitHub Action workflows.

Visit our website – secureci.org for more information.

Features

  • Taint-Tracking: Argus uses sophisticated algorithms to track the flow of potentially untrusted data from specific sources to security-critical sinks within GitHub Actions workflows. This enables the identification of vulnerabilities that could lead to code injection attacks.

  • Impact Classifier: Argus classifies identified vulnerabilities into High, Medium, and Low severity classes, providing a clearer understanding of the potential impact of each identified vulnerability. This is crucial in prioritizing mitigation efforts.

Use

This Python script provides a command line interface for interacting with GitHub repositories and GitHub actions.

python argus.py –mode [mode] –url [url] [–output-folder path_to_output] [–config path_to_config] [–verbose] [–branch branch_name] [–commit commit_hash] [–tag tag_name] [–action-path path_to_action] [–workflow-path path_to_workflow]

Parameters:

  • --mode: The mode of operation. Choose either ‘repo’ or ‘action’. This parameter is required.
  • --url: The GitHub URL. Use USERNAME:TOKEN@URL for private repos. This parameter is required.
  • --output-folder: The output folder. The default value is ‘/tmp’. This parameter is optional.
  • --config: The config file. This parameter is optional.
  • --verbose: Verbose mode. If this option is provided, the logging level is set to DEBUG. Otherwise, it is set to INFO. This parameter is optional.
  • --branch: The branch name. You must provide exactly one of: --branch--commit--tag. This parameter is optional.
  • --commit: The commit hash. You must provide exactly one of: --branch--commit--tag. This parameter is optional.
  • --tag: The tag. You must provide exactly one of: --branch--commit--tag. This parameter is optional.
  • --action-path: The (relative) path to the action. You cannot provide --action-path in repo mode. This parameter is optional.
  • --workflow-path: The (relative) path to the workflow. You cannot provide --workflow-path in action mode. This parameter is optional.

Install

Copyright (C) 2023 purs3lab

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply