Vulnerable Workflows

You may have landed here because Git X-Ray suggested that you further inspect a specific Workflow in a repository that you were X-Raying, or because of some other reason.

Either way, here's a list of specialized software and documentation on how to proceed with analyzing the security of your workflow.

Tools for Workflow analysis

• https://github.com/synacktiv/octoscan - A SAST tool for GitHub Workflows.

• https://github.com/AdnaneKhan/Gato-X - Excellent for identifying at scale vulnerable Workflows.

• https://semgrep.dev/p/github-actions - Semgrep rules for GitHub Workflows.

• https://github.com/tindersec/gh-workflow-auditor - A script by Tinder Security which analyzes multiple aspects of a Workflow.

Articles about Github Workflows and Security

Official by GitHub

• https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
• https://securitylab.github.com/resources/github-actions-untrusted-input/
• https://securitylab.github.com/resources/github-actions-building-blocks/
• https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions

By independent researchers and organizations

• https://medium.com/tinder/exploiting-github-actions-on-open-source-projects-5d93936d189f

Videos

• https://www.youtube.com/watch?v=Ers-LcA7Nmc - A great video and slides by Rob Bos on GitHub Actions with security in mind