Documentation ¶
Overview ¶
The ades command can be used to Scan for Dangerous Expression in Actions (sdea -> ades) workflows and manifests - Actions being GitHub's continuous integrations platform.
It is primarily intended to be used as a CLI application, but also exports its functionality for programmatic use. For programmatic use, note that this project does not use semantic versioning.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // AllMatcher is an ExprMatcher that will find all GitHub Actions Expressions in strings. AllMatcher allExprMatcher // ConservativeMatcher is an ExprMatcher that will conservatively find GitHub Workflow // Expressions in strings that are known to be controllable by attackers. ConservativeMatcher conservativeExprMatcher )
Functions ¶
func Fix ¶
Fix produces a set of fixes to address the violation if possible. If the return value is nil the violation cannot be fixed automatically.
func Suggestion ¶
Suggestion returns a suggestion for the violation.
Types ¶
type ExprMatcher ¶
type ExprMatcher interface { // FindAll is the function that returns all relevant GitHub Actions Expressions in the provided // input. FindAll([]byte) [][]byte }
ExprMatcher is the interface for types that can find GitHub Actions Expressions in strings.
type JobStep ¶
type JobStep struct { With map[string]string `yaml:"with"` Env map[string]string `yaml:"env"` Name string `yaml:"name"` Run string `yaml:"run"` Uses string `yaml:"uses"` }
JobStep is a (simplified) representation of a workflow job step object.
type Manifest ¶
type Manifest struct {
Runs ManifestRuns `yaml:"runs"`
}
Manifest is a (simplified) representation of a GitHub Actions Action manifest.
func ParseManifest ¶
ParseManifest parses a GitHub Actions Action manifest file into a Manifest struct.
type ManifestRuns ¶
ManifestRuns is a (simplified) representation of an Action manifest's `runs:` object.
type StepUses ¶
type StepUses struct { // Name is the name of the Action that is used. Typically <owner>/<repository>. Name string // Ref is the git reference used for the Action. Typically a tag ref, branch ref, or commit SHA. Ref string }
StepUses is a structured representation of a workflow job step `uses:` value.
type Violation ¶
type Violation struct { // JobId is an identifier of a job in a GitHub Actions workflow, either the name or key. // // This will be the zero value if the violation is for a GitHub Actions manifest. JobId string // StepId is the identifier of a step in a GitHub Actions workflow or manifest, either the name // or index. StepId string // Problem is the problematic GitHub Actions Expression as observed in the workflow or manifest. Problem string // RuleId is the identifier of the ades rule that produced the violation. RuleId string // contains filtered or unexported fields }
Violation contain information on problematic GitHub Actions Expressions found in a workflow or manifest.
func AnalyzeManifest ¶
func AnalyzeManifest(manifest *Manifest, matcher ExprMatcher) []Violation
AnalyzeManifest analyses a GitHub Actions manifest for problematic GitHub Actions Expressions.
func AnalyzeWorkflow ¶
func AnalyzeWorkflow(workflow *Workflow, matcher ExprMatcher) []Violation
AnalyzeWorkflow analyses a GitHub Actions workflow for problematic GitHub Actions Expressions.
type Workflow ¶
type Workflow struct {
Jobs map[string]WorkflowJob `yaml:"jobs"`
}
Workflow is a (simplified) representation of a GitHub Actions workflow.
func ParseWorkflow ¶
ParseWorkflow parses a GitHub Actions workflow file into a Workflow struct.
type WorkflowJob ¶
WorkflowJob is a (simplified) representation of a workflow job.