Introducing Raven: CI/CD Pipeline Security with Open Source Vulnerability Scanner Starting with GitHub Actions

user profile
Security Researcher

Cycode is proud to announce the public release of Raven, our cutting-edge CI/CD Pipeline Security Scanner. Launching with GitHub Actions as its first use case. Raven, which stands for Risk Analysis and Vulnerability Enumeration for CI/CD Pipeline Security, is officially open source on GitHub and will be showcased this Wednesday at Black Hat Arsenal – SecTor Toronto.

GitHub Actions have become an integral part of CI/CD, automating everything from code testing to deployment. This widespread adoption also brings a heightened risk of vulnerabilities, making the security of GitHub Actions more critical than ever. This is where Raven comes into play. Raven scans GitHub workflows and breaks them down into individual components. These components are then inserted into a Neo4j database as distinct types of nodes, with relationships established between them. This allows for effortless scanning and identification of vulnerabilities in workflows.

Raven utilizes a knowledge base built over the course of more than a year of comprehensive research into GitHub Actions by the Cycode research team. Throughout this period, data was gathered from a widespread of systems, thousands of projects, and multiple configurations. We have now decided to release Raven as an open-source tool to help enhance CI/CD security and support the community.

GitHub Actions: Simple, Yet Complex

GitHub Actions serves as the automation engine within GitHub, allowing developers to build, test, and deploy code from their repositories. These automated processes are defined in YAML files known as “workflows,” which specify a series of “jobs” they perform, consisting of “steps” (tasks) that get executed. Essentially, GitHub Actions make it possible to create customized software development life cycle (SDLC) pipelines without leaving GitHub.

While GitHub Actions offers great convenience, they also come with security risks. Workflow vulnerabilities can span a variety of issues—from leaking secrets to code-injection attacks. Many even have the potential to compromise build servers or publish artifacts, posing a risk for supply chain attacks that could affect millions. Identifying these vulnerabilities often involves scanning the workflow’s YAML files and searching the code for weak configurations or exploitable patterns. However, this approach isn’t nearly sufficient enough. Many workflow exploits are due to logical flaws that are impossible to detect through regex scans, or they may lie hidden in the dependencies of a workflow.

Read more:

Raven solves all these issues using unique scanning and analysis techniques. Within the complex landscape of GitHub Actions, containing dependent actions, reusable workflows, user input parameters, and pull requests from forks, Raven simplifies it all. It transforms this complexity into a clear and concise representation of components and their relationships within the Neo4j database, offering a straightforward understanding of the intricacies of GitHub Actions.

Introducing Raven

Raven is a robust Python-based tool specifically designed to address the security challenges that GitHub Actions poses. The tool consists of three main components:

1. Download:

Raven begins by downloading workflows and their associated dependencies from GitHub and storing them in a Redis database. It has two modes for downloading workflows:

  • Organization Mode: Scanning all the repositories of a specific organization. Primarily aimed at securing private organizations, but also applicable for bug bounty programs.
  • Crawl Mode: Searches GitHub repositories within a specified range of star ratings and downloads all their workflows and dependencies for subsequent analysis. This approach enabled us to discover numerous exploits in open-source projects.

2. Index:

In this phase, Raven indexes the workflows stored in the Redis database. It creates Python class instances for each component based on its type, then transforms them into Neo4j nodes, establishing relationships between the workflow components. This unique indexing process simplifies detecting vulnerabilities by enabling intuitive queries.

3. Report:

Raven’s reporting functionality is tailored for security professionals. When integrated into a scheduled task, it can perform scans daily and deliver comprehensive reports to a designated Slack channel. This ensures that any vulnerabilities are quickly identified and addressed, maintaining high security. This feature is currently in beta, and we have plans to enhance it further.

In Raven’s GitHub repository, you can find a library of Cypher queries tailored to identify vulnerabilities within Neo4j databases. While our research team has used these queries to find some vulnerabilities in public repositories, there are still many more to discover.

Two Workflows Vulnerable to Code Injection via Pull Request Titles Detected in the Database
Two Workflows Vulnerable to Code Injection via Pull Request Titles Detected in the Database

 

Raven Hall of Fame

The development journey of Raven has been filled with exciting discoveries. We’ve successfully identified numerous vulnerabilities in public repositories, contributing to the overall improvement of GitHub Actions security. Here are some of these repositories:

Check out Raven’s Hall of Fame on Github

 

Raven Is Open Source

Our choice to open-source Raven comes from our strong belief in the power of collaboration. We’re committed to the CI/CD security community and motivated to work collaboratively to improve Raven. Our ultimate aim is to strengthen the security of the SDLC. We believe partnering with the broader community is crucial for this objective.

If you are among these groups, Raven could be beneficial to you:

  • Security Research Teams
  • DevOps and Cybersecurity Professionals
  • Bug Bounty Hunters
  • Open Source Security Enthusiasts
  • And more

Come and join by visiting Raven’s GitHub page or by  Creating or Completing issues.

Get Started 

Cycode is committed to enhancing security in CI/CD pipelines. Our dedication to making pipelines more secure and resilient is at the core of our mission and the reason behind this latest release to the security community. Contact us to learn more about RAVEN and to book a demo.Â