ActionSec 🔒

A fast, local-first CLI tool to scan GitHub Actions workflow files for security vulnerabilities.

Features

• 🔍 Security Scanning: Detects 6 types of common GitHub Actions security issues
• ⚡ Fast & Local: No external dependencies, runs entirely offline
• 📊 Risk Scoring: Assigns risk scores and fails builds based on thresholds
• 🎨 Multiple Formats: Output in table, JSON, or Markdown format
• ⚙️ Configurable: Support for YAML config files and environment variables
• 🚀 Easy Installation: One-command installation script

Quick Start

Installation

Option 1: One-line install (Recommended)

curl -fsSL https://raw.githubusercontent.com/Siddhant-K-code/actionsec/main/install.sh | bash

Option 2: User installation (no sudo required)

curl -fsSL https://raw.githubusercontent.com/Siddhant-K-code/actionsec/main/install.sh | bash -s -- --user

Option 3: Build from source

git clone https://github.com/Siddhant-K-code/actionsec
cd actionsec
make install

Basic Usage

# Scan current directory
actionsec scan

# Scan specific directory
actionsec scan /path/to/repo

# Scan with different output formats
actionsec scan --format=json
actionsec scan --format=markdown

# Fail build if risk score exceeds threshold
actionsec scan --fail-on-risk=50

Security Rules

Rule ID	Description	Risk Score	Severity
unpinned-action	Actions not pinned to SHA	20	HIGH
full-permissions	Missing or overly broad permissions	15-25	MEDIUM-HIGH
shell-curl	Dangerous shell commands (curl | bash, etc.)	30	HIGH
no-timeout	Missing timeout-minutes	5	LOW
pr-target	Unsafe pull_request_target usage	25	HIGH
env-secrets	Secrets in env blocks without validation	10	MEDIUM

Configuration

Create a .actionsec.yaml file in your project root:

# Exit with code 1 if total risk score exceeds this threshold
fail-on-risk: 80

# Ignore specific rules or files
ignore:
  - shell-curl                           # Ignore a specific rule
  - .github/workflows/debug.yml          # Ignore a specific file

Environment Variables

All configuration options can be set via environment variables with the ACTIONSEC_ prefix:

export ACTIONSEC_FAIL_ON_RISK=80
export ACTIONSEC_IGNORE="shell-curl,.github/workflows/debug.yml"

Examples

❌ Vulnerable Workflow

name: Vulnerable Workflow
on:
  pull_request_target:    # ⚠️ Dangerous trigger
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3  # ❌ Not pinned to SHA
      - name: Install deps
        run: curl -fsSL https://get.docker.com | bash  # ❌ Dangerous command
      - name: Run tests
        run: npm test
        env:
          API_KEY: ${{ secrets.API_KEY }}  # ⚠️ Secret in env block

Scan Result:

$ actionsec scan

Total Risk Score: 85/100

Found 4 security issues:

🔍 unpinned-action
   File: .github/workflows/vulnerable.yml:10
   Severity: HIGH
   Action 'actions/checkout' is not pinned to a SHA

🔍 shell-curl
   File: .github/workflows/vulnerable.yml:12
   Severity: HIGH
   Dangerous shell command pattern detected

🔍 pr-target
   File: .github/workflows/vulnerable.yml:3
   Severity: HIGH
   pull_request_target can be dangerous - allows code execution from forks

🔍 env-secrets
   File: .github/workflows/vulnerable.yml:16
   Severity: MEDIUM
   Secrets used in env block without proper validation

✅ Secure Workflow

name: Secure Workflow
on:
  pull_request:           # ✅ Safe trigger
    branches: [main]

permissions:              # ✅ Explicit permissions
  contents: read
  actions: read

jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 10   # ✅ Has timeout
    steps:
      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # ✅ Pinned to SHA
      - name: Setup Node
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c   # ✅ Pinned to SHA
        with:
          node-version: '18'
      - name: Install dependencies
        run: npm ci         # ✅ Safe command
      - name: Run tests
        run: npm test       # ✅ Safe command

Scan Result:

$ actionsec scan

Total Risk Score: 0/100

✅ No security issues found!

CLI Reference

actionsec scan [path] [flags]

Flags:
  -f, --format string      Output format (table, json, markdown) (default "table")
      --fail-on-risk int   Exit with code 1 if risk score exceeds threshold
      --ci                 CI mode (non-interactive)
      --config string      Config file path (default ".actionsec.yaml")
  -h, --help              Help for scan

Examples:
  actionsec scan                          # Scan current directory
  actionsec scan /path/to/repo            # Scan specific directory
  actionsec scan --format=json           # JSON output
  actionsec scan --fail-on-risk=50       # Fail if risk > 50
  actionsec scan --config=custom.yaml    # Custom config file

Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install ActionSec
        run: |
          curl -fsSL https://raw.githubusercontent.com/Siddhant-K-code/actionsec/main/install.sh | bash
      - name: Scan workflows
        run: actionsec scan --fail-on-risk=50

Pre-commit Hook

Add to .pre-commit-config.yaml:

repos:
  - repo: local
    hooks:
      - id: actionsec
        name: ActionSec Security Scan
        entry: actionsec scan --fail-on-risk=50
        language: system
        pass_filenames: false

Makefile Integration

.PHONY: security-scan
security-scan:
	@echo "Running security scan..."
	actionsec scan --fail-on-risk=80

Building from Source

Prerequisites

• Go 1.21 or later
• Git

Build Commands

# Clone repository
git clone https://github.com/Siddhant-K-code/actionsec
cd actionsec

# Build for current platform
make build

# Install system-wide
make install

# Install to user directory
make install-user

# Build for all platforms
make release

# Run tests
make test

# Quick build and test
make dev

License

MIT License - see LICENSE file for details.

---

⭐ Star this repository if you find it useful!