Skip to content

feat: detect vulnerable GitHub Actions#1021

Merged
behnazh-w merged 4 commits intomainfrom
behnaz/add-gh-vuln-gha-check
Apr 23, 2025
Merged

feat: detect vulnerable GitHub Actions#1021
behnazh-w merged 4 commits intomainfrom
behnaz/add-gh-vuln-gha-check

Conversation

@behnazh-w
Copy link
Copy Markdown
Member

@behnazh-w behnazh-w commented Mar 21, 2025
edited
Loading

Summary

This pull request introduces a new check mcn_githubactions_vulnerabilities_1 to detect vulnerable GitHub Actions, enhancing the security of workflows and automating the identification of potential risks in CI/CD pipelines. The key changes include:

Changes

  • A check for specific versions of third-party GitHub Actions that are known to be affected by vulnerabilities. The version can be a commit SHA associated with a tag (version).
  • A new module has been added to implement interactions with OSV (Open Source Vulnerability) API.

Documentation

  • The documentation website has been updated to reflect this new check.
  • A tutorial has been added to guide users through the process of setting up and using the check in their workflows.

Tests

  • Integration and unit tests have been added.

@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Mar 21, 2025
@behnazh-w behnazh-w force-pushed the behnaz/add-gh-vuln-gha-check branch 2 times, most recently from 3f5b70c to e056b7c Compare March 26, 2025 00:30
@behnazh-w behnazh-w force-pushed the behnaz/add-gh-vuln-gha-check branch 5 times, most recently from 6e429f7 to 9776ec8 Compare April 4, 2025 05:38
@behnazh-w behnazh-w marked this pull request as ready for review April 7, 2025 04:48
@behnazh-w behnazh-w requested a review from tromai as a code owner April 7, 2025 04:48
@benmss benmss self-requested a review April 7, 2025 04:53
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread docs/source/index.rst Outdated
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread docs/source/pages/tutorials/detect_vulnerable_github_actions.rst Outdated
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread docs/source/pages/tutorials/detect_vulnerable_github_actions.rst Outdated
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/checks/github_actions_vulnerability_check.py Outdated
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/checks/github_actions_vulnerability_check.py Outdated
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/checks/github_actions_vulnerability_check.py Outdated
@behnazh-w behnazh-w changed the base branch from staging to main April 8, 2025 04:41
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/osv_dev.py Outdated
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread tests/integration/cases/oracle-macaron/test.yaml Outdated
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
Comment thread tests/slsa_analyzer/checks/test_github_actions_vulnerability_check.py Outdated
benmss
benmss reviewed Apr 9, 2025
View reviewed changes
Comment thread tests/slsa_analyzer/package_registry/test_osv_dev.py
tromai
tromai reviewed Apr 10, 2025
View reviewed changes
Comment thread docs/source/pages/cli_usage/command_analyze.rst Outdated
tromai
tromai reviewed Apr 10, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/git_url.py Outdated
tromai
tromai reviewed Apr 10, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/osv_dev.py
tromai
tromai reviewed Apr 10, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/osv_dev.py Outdated
tromai
tromai reviewed Apr 10, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/osv_dev.py
tromai
tromai reviewed Apr 10, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/osv_dev.py
tromai
tromai reviewed Apr 10, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/checks/github_actions_vulnerability_check.py
@behnazh-w
feat: detect vulnerable GitHub Actions
c285cea 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w
docs: update the ER diagram
01fbe4a
@behnazh-w
test(integration): change staging to main branch
e13d576 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w
chore: address PR feedback
a684508 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w behnazh-w force-pushed the behnaz/add-gh-vuln-gha-check branch from 9776ec8 to a684508 Compare April 22, 2025 06:45
tromai
tromai approved these changes Apr 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@behnazh-w behnazh-w merged commit 32aa0cc into main Apr 23, 2025
26 checks passed
@behnazh-w behnazh-w deleted the behnaz/add-gh-vuln-gha-check branch July 22, 2025 02:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benmss benmss benmss approved these changes

+1 more reviewer

@tromai tromai tromai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@behnazh-w @benmss @tromai