You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54 lines
1.3 KiB
Bash
54 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
#
|
|
# Author: Hari Sekhon
|
|
# Date: 2022-06-10 19:09:45 +0100 (Fri, 10 Jun 2022)
|
|
#
|
|
# https://github.com/HariSekhon/DevOps-Bash-tools
|
|
#
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
#
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
|
#
|
|
# https://www.linkedin.com/in/HariSekhon
|
|
#
|
|
|
|
set -euo pipefail
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# shellcheck disable=SC1090
|
|
. "$srcdir/lib/git.sh"
|
|
|
|
# shellcheck disable=SC2034,SC2154
|
|
usage_description="
|
|
Checks the GitHub Actions workflows in the given Git repo checkout don't have any obvious script injection risks
|
|
"
|
|
|
|
# used by usage() in lib/utils.sh
|
|
# shellcheck disable=SC2034
|
|
usage_args="[<directory>]"
|
|
|
|
help_usage "$@"
|
|
|
|
#min_args 1 "$@"
|
|
|
|
section "GitHub Actions Script Injection Check"
|
|
|
|
dir="${1:-.}"
|
|
|
|
cd "$dir"
|
|
|
|
git_root="$(git_root)"
|
|
|
|
workflow_dir="$git_root/.github/workflows"
|
|
|
|
# false positive
|
|
# shellcheck disable=SC2016
|
|
if git grep '^[[:space:]]\+run:.*${{' "$workflow_dir/"*.yaml "$workflow_dir/"*.yml; then
|
|
echo
|
|
die "WARNING: possible script injection vectors detected under '$workflow_dir'"
|
|
else
|
|
section2 "GitHub Actions script injection check passed"
|
|
fi
|