packj github action
1.0.0
將packj添加到您的工作流程中,以審核您的破壞/風險npm/pypi/ruby依賴性的拉動請求。
由我們的開源工具PackJ提供動力。
如果發現任何風險依賴性,Packj將對PR發表評論。請參閱示例拉請求審核。
只需將以下內容添加到您的工作流程中:
- name : Packj Security Audit
uses : ossillate-inc/[email protected]
with :
# TODO: replace with your dependency files in the repo
DEPENDENCY_FILES : pypi:requirements.txt,npm:package.json,rubygems:Gemfile
REPO_TOKEN : ${{ secrets.GITHUB_TOKEN } # This is a basic workflow to help you get started with Actions
name : Packj security audit
# Controls when the workflow will run
on :
pull_request :
branches :
- main
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs :
# This workflow contains a single job called "packj-audit"
packj-security-audit :
# The type of runner that the job will run on
runs-on : ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps :
# Audit
- name : Audit dependencies
uses : ossillate-inc/[email protected]
with :
# TODO: replace with your dependency files in the repo
DEPENDENCY_FILES : pypi:requirements.txt,npm:package.json,rubygems:Gemfile
REPO_TOKEN : ${{ secrets.GITHUB_TOKEN }}secrets.GITHUB_TOKEN默認使用(github Action Runner)false 。PackJ可以審核PYPI,NPM和RubyGems軟件包。它執行:
connect , exec ),open() , fork() ),以檢查軟件包(和所有依賴關係)的運行時行為。出於安全原因,具有過期電子郵件域,較大的發佈時間差距,敏感API等的軟件包被標記為風險。
PackJ的設計取決於我們對651個已記錄的開源軟件供應鏈攻擊的惡意軟件樣本的研究。它掃描了40多種風險代碼和元數據屬性,這些屬性使一個包裹易受供應鏈攻擊的影響。
| 風險 | 原因 |
|---|---|
| 冒充流行包裹的包裝 | 不良演員通過出版的惡意軟件包進行了錯字攻擊,這些攻擊是模仿流行套餐的(例如,lodash vs loadash) |
| 舊的或放棄的包裹 | 舊的或未經最終的軟件包未收到安全修復程序 |
| 使用敏感API的軟件包,例如EXEC和EDAR | 惡意軟件使用操作系統或語言運行時的API來執行敏感操作(例如,讀取SSH鍵) |
| 貢獻者的包裹無效或沒有電子郵件地址 | 錯誤或丟失的電子郵件地址表明該帳戶缺少2FA,這使得不良演員更容易劫持所有權。 |
| 無效或沒有公共源存儲庫的軟件包 | 沒有公共回購意味著公開審核或審查源代碼的簡單方法 |
| 包含已知漏洞的軟件包 | 軟件包代碼中已知的安全漏洞(CVE)可以由壞參與者利用 |
可以自定義PackJ,以僅發送適用於威脅模型的警報。只需根據我們的模板(下圖)在您的存儲庫中添加.packj.yaml文件,然後啟用/禁用對您重要的警報即可。
# # Audit policies # audit: # # Risk alerts (enable or disable according to your threat model) # alerts: # # category: malicious packages (publicly known and unknown) # malicious: contains known malware: - reason: package is known to contain a dangerous malware - enabled: true typo-squatting or repo-jacking package: - reason: package impersonates another popular package to propagate malware - enabled: true # # alert category: packages vulnerable to code exploits # vulnerable: contains known vulnerabilities: - reason: known vulnerabilities (CVEs) in package code could be exploited - enabled: true # # packages with undesirable or "risky" attributes # undesirable: package is old or abandoned: - reason: old or abandoned packages receive no security updates and are risky - enabled: true invalid or no author email: - reason: a package with lack of or invalid author email suggests 2FA not enabled - enabled: true invalid or no homepage: - reason: a package with no or invalid homepage may not be preferable - enabled: false no source repo: - reason: lack of public source repo may suggest malicious intention - enabled: true fewer downloads: - reason: a package with few downloads may not be preferable - enabled: true no or insufficient readme: - reason: a package with lack of documentation may not be preferable - enabled: false fewer versions or releases: - reason: few versions suggest unstable or inactive project - enabled: true too many dependencies: - reason: too many dependencies increase attack surface - enabled: false version release after a long gap: - reason: a release after a long time may indicate account hijacking - enabled: false contains custom installation hooks: - reason: custom installation hooks may download or execute malicious code - enabled: false # WIP # # type: repo stats # few source repo stars: - reason: a package with few repo stars may not be preferable - enabled: false few source repo forks: - reason: a package with few repo forks may not be preferable - enabled: false forked source repo: - reason: a forked copy of a popular package may contain malicious code - enabled: true # # type: APIs and permissions # generates new code: - reason: package generates new code at runtime, which could be malicious - enabled: false forks or exits OS processes: - reason: package spawns new operating system processes, which could be malicious - enabled: false accesses obfuscated (hidden) code: - enabled: true accesses environment variables: - enabled: false changes system/environment variables: - enabled: false accesses files and dirs: - enabled: false communicates with external network: - enabled: false reads user input: - enabled: false sandbox: rules: # # File system (allow or block accesses to file/dirs) # # ~/ represents home dir # . represents cwd dir # # NOTE: only ONE 'allow' and 'block' lines are allowed # fs: # TODO: customize as per your threat model # block access to home dir and all other locations (except the ones below) block: ~/, / allow: ., ~/.cache, ~/.npm, ~/.local, ~/.ruby, /tmp, /proc, /etc, /var, /bin, /usr/include, /usr/local, /usr/bin, /usr/lib, /usr/share, /lib # # Network (allow or block domains/ports) # # NOTE: only ONE 'allow' and 'block' lines are allowed # network: # TODO: customize as per your threat model # block all external network communication (except the ones below) block: 0.0.0.0 # For installing PyPI, Rubygems, and NPM packages allow: pythonhosted.org:443, pypi.org:443, rubygems.org:443, npmjs.org:0, npmjs.com:0
