Options: -h, --help Show help -d, --debug Debug output --verbose Verbose output --org <org> Organizations to target --repo <repo> Repository to target --token <pat> GHP to authenticate to GitHub --default-branch Only download workflows from the default branch --max-branches <num> Limit the number of branches to download --path <path> GitHub file path to download [default: .github/workflows] --output-dir <dir> Output dir where to download files [default: octoscan-output] --include-archives Also download archived repositories
It will reduce false positives and give the most interesting results.
If you have downloaded the workflows with the dl command you might have duplicated workflows since by default octoscan will download all the workflows of all the branches. To delete duplicated workflows and speed up the analysis you can use the fdupes command before running the analysis:
Options: -h, --help -v, --version -d, --debug --verbose --json JSON output --oneline Use one line per one error. Useful for reading error messages from programs
Args: <target> Target File or directory to scan --filter-triggers <triggers> Scan workflows with specific triggers (comma separated list: "push,pull_request_target" or pre-configured: external/allnopr) --filter-run Search for expression injection only in run shell scripts. --ignore <pattern> Regular expression matching to error messages you want to ignore. --disable-rules <rules> Disable specific rules. Split on "," --enable-rules <rules> Enable specific rules, this with disable all other rules. Split on "," --debug-rules Enable debug rules. --config-file <config> Config file.
The complete list of rules can be found with this command:
$ octoscan scan --list-rules 2024/08/07 16:50:48 [INFO] Available rules - dangerous-action Check for dangerous actions. - dangerous-checkout Check for dangerous checkout. - expression-injection Check for expression injection. - dangerous-write Check for dangerous write operation on $GITHUB_OUTPUT or $GITHUB_ENV. - local-action Check for local actions. - oidc-action Check for OIDC actions. - runner-label Checks for GitHub-hosted and preset self-hosted runner labels in "runs-on:" - unsecure-commands Check 'ACTIONS_ALLOW_UNSECURE_COMMANDS' env variable. - known-vulnerability Check for known vulnerabilities. - bot-check Check for if statements that are based on a bot identity. - debug-external-trigger Check for workflow that can be externally triggered. - debug-artefacts Check for workflow that upload artefacts. - debug-js-exec Check for workflow that execute system commands in JS scripts. - repo-jacking Verify that external actions are pointing to a valid GitHub user or organization.
dangerous-checkout
Triggers like workflow_run or pull_request_target run in a privileged context, as they have read access to secrets and potentially have write access on the targeted repository. Performing an explicit checkout on the untrusted code will result in the attacker code being downloaded in such context.