Skip to content

feat: detect vulnerable GitHub Actions #1021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 23, 2025
Merged

feat: detect vulnerable GitHub Actions #1021

merged 4 commits into from
Apr 23, 2025

Conversation

behnazh-w
Copy link
Member

@behnazh-w behnazh-w commented Mar 21, 2025
edited
Loading

Summary

This pull request introduces a new check mcn_githubactions_vulnerabilities_1 to detect vulnerable GitHub Actions, enhancing the security of workflows and automating the identification of potential risks in CI/CD pipelines. The key changes include:

Changes

  • A check for specific versions of third-party GitHub Actions that are known to be affected by vulnerabilities. The version can be a commit SHA associated with a tag (version).
  • A new module has been added to implement interactions with OSV (Open Source Vulnerability) API.

Documentation

  • The documentation website has been updated to reflect this new check.
  • A tutorial has been added to guide users through the process of setting up and using the check in their workflows.

Tests

  • Integration and unit tests have been added.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Mar 21, 2025
@behnazh-w behnazh-w force-pushed the behnaz/add-gh-vuln-gha-check branch 2 times, most recently from 3f5b70c to e056b7c Compare March 26, 2025 00:30
@behnazh-w behnazh-w force-pushed the behnaz/add-gh-vuln-gha-check branch 5 times, most recently from 6e429f7 to 9776ec8 Compare April 4, 2025 05:38
@behnazh-w behnazh-w marked this pull request as ready for review April 7, 2025 04:48
@behnazh-w behnazh-w requested a review from tromai as a code owner April 7, 2025 04:48
@benmss benmss self-requested a review April 7, 2025 04:53
benmss
benmss reviewed Apr 8, 2025
View reviewed changes
@behnazh-w behnazh-w changed the base branch from staging to main April 8, 2025 04:41
@behnazh-w behnazh-w force-pushed the behnaz/add-gh-vuln-gha-check branch from 9776ec8 to a684508 Compare April 22, 2025 06:45
tromai
tromai approved these changes Apr 22, 2025
View reviewed changes
Copy link
Member

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@behnazh-w behnazh-w merged commit 32aa0cc into main Apr 23, 2025
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benmss benmss benmss approved these changes

@tromai tromai tromai approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@behnazh-w @benmss @tromai