Static analysis and attack simulation for GitHub Actions workflows. Detects injection vectors, supply chain risks, excessive permissions and secret exposure. Generates prioritized findings with remediation guidance.
Aligned with Microsoft Security DevOps principles. SARIF 2.1.0 output integrates natively with GitHub Advanced Security (GHAS) code scanning for enterprise security workflows.
| Attack Vector | Severity | CWE |
|---|---|---|
| Script injection via untrusted context expressions | Critical | CWE-78 |
| Pwn Request (pull_request_target + PR head checkout) | Critical | CWE-913 |
| Excessive permissions (write-all, contents: write) | High | CWE-250 |
| Secrets passed to third-party actions | High | CWE-522 |
| Unpinned actions (mutable branch reference) | High | CWE-829 |
| Unpinned actions (semantic version tag) | Medium | CWE-829 |
| Self-hosted runner without isolation | Medium | CWE-653 |
| Secret values in environment variables | Informational | CWE-532 |
git clone https://github.com/9t29zhmwdh-coder/github-actions-security-sandbox
cd github-actions-security-sandbox
cargo build --release
# Scan a single workflow file
./target/release/ghass scan examples/vulnerable_workflow.yml
# Scan all workflows in a directory
./target/release/ghass scan .github/workflows
# Export findings as Markdown
./target/release/ghass scan .github/workflows --format md --output report.md
# Export SARIF for GitHub Advanced Security
./target/release/ghass scan .github/workflows --format sarif --output results.sarif
# Show only high severity and above
./target/release/ghass scan .github/workflows --min-severity high| Format | Flag | Use Case |
|---|---|---|
| Table (default) | --format table |
Interactive terminal inspection |
| JSON | --format json |
CI pipelines, ticketing system integration |
| Markdown | --format md |
PR comments, Confluence, internal reports |
| HTML | --format html |
Browser-viewable reports for stakeholders |
| SARIF | --format sarif |
GitHub Advanced Security, code scanning |
| Severity | Description |
|---|---|
| Critical | Immediate code execution risk or full secret exposure. Fix before merging. |
| High | Significant risk that can be exploited with moderate effort. |
| Medium | Risk requires specific conditions to exploit; remediate in next sprint. |
| Low | Defense-in-depth improvement with limited direct impact. |
| Informational | Correct usage pattern; review for completeness. |
The tool is structured as a Rust workspace with three crates:
| Crate | Role |
|---|---|
ghass-core |
Domain models, finding types, report serialization (JSON, Markdown, HTML, SARIF) |
ghass-scan |
YAML workflow parser, all security analyzers |
ghass-cli |
CLI binary (ghass), output formatting, severity filtering |
See ARCHITECTURE.md for the full data-flow diagram and module descriptions.
Copy .github/workflows/ghass-check-template.yml from this repository into your own project to automatically scan workflows on every push and on a weekly schedule. Findings are uploaded to GitHub Advanced Security as SARIF results.
See docs/attack_vectors.md for hardening patterns for each finding type.
This tool performs entirely local static analysis. It reads YAML files from disk. No Azure, GitHub, or any other API credentials are needed or used.
Author: Rafael Yilmaz · Status: Active · v0.1.0 · License: MIT