Tuesday, March 5, 2024

Raven: Open-source CI/CD Pipeline Vulnerability Scanner Tool

Cycode is excited to introduce Raven, a state-of-the-art security scanner for CI/CD pipelines. 

Raven stands for Risk Analysis and Vulnerability Enumeration for CI/CD Pipeline Security, and it is now available as an open-source tool on GitHub. 

This innovative solution will be presented at the upcoming Black Hat Arsenal – SecTor Toronto event.

Raven comes at a time when GitHub Actions are essential for CI/CD, as they enable the automation of everything from code testing to deployment. 

However, these actions also pose a risk of vulnerabilities. That’s why Raven is here.

Raven scans GitHub workflows with precision, dividing them into separate components. 

These components are then stored in a Neo4j database as nodes, with links between them. 

This structure allows for easy scanning and detection of vulnerabilities within workflows.

One of Raven’s key features is its rich knowledge base, which results from more than a year of extensive research by the Cycode team. 

This knowledge base covers a variety of systems, including thousands of projects and multiple configurations. 

Cycode has made Raven an open-source tool to enhance CI/CD security and help the wider development community.

GitHub Actions: Simple on the Surface, Complex Underneath

GitHub Actions are the core automation engine within GitHub, allowing developers to create, test, and deploy code from their repositories. 

These automated processes are specified in YAML files called “workflows,” which define a series of “jobs” and “steps” that are executed. GitHub Actions lets users create custom software development life cycle (SDLC) pipelines without leaving GitHub’s platform.

However, with great power comes great responsibility and, in this case, security challenges. 

Workflows can have various vulnerabilities, from accidental exposure of secrets to code-injection attacks. 

Some vulnerabilities can even compromise build servers or reveal artifacts, creating a serious threat of supply chain attacks that could affect millions. 

Finding these vulnerabilities can be hard, as they may be hidden in the dependencies of a workflow or arise from logical errors that are not easily spotted by conventional methods like regex scans.

Raven’s Novel Approach

Raven solves these complex problems using unique scanning and analysis methods. 

In the diverse environment of GitHub Actions, which involves dependent actions, reusable workflows, user input parameters, and pull requests from forks, Raven reduces the complexity. 

It converts this complex network of interactions into a simple and clear representation of components and their connections within a Neo4j database, providing a clear view of how GitHub Actions work.

Meet Raven: The Three Main Components Explained

Raven is a Python tool that tackles the security issues of GitHub Actions. It has three main components:

1. Download: Raven starts by downloading workflows and their dependencies from GitHub and saving them in a Redis database. 

This phase has two modes: Organization Mode, for securing private organizations, and Crawl Mode, for scanning GitHub repositories with a certain range of star ratings and downloading their workflows and dependencies for analysis. This method has already found many exploits in open-source projects.

2. Index: The indexing phase makes Raven sort the workflows in the Redis database. It makes Python class instances for each component based on its type, then turns them into Neo4j nodes, linking the different workflow components. This indexing process makes finding vulnerabilities easier by allowing simple queries.

3. Report: Raven’s reporting feature is made for security experts. When part of a scheduled task, it can scan daily and send detailed reports to a Slack channel. This active approach ensures that any vulnerabilities are found and fixed quickly, keeping a high level of security. It’s important to say that this feature is now in beta, with more improvements planned.

In Raven’s GitHub repository, you’ll see a library of Cypher queries to find vulnerabilities in Neo4j databases. Cycode’s research team has already used these queries to find some vulnerabilities in public repositories, but there is still more to discover. Raven’s launch as an open-source tool is a big step towards strengthening the security of CI/CD pipelines and supporting the community spirit of collaboration.”

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

CACTUS Hackers Exploiting Software Bug to Attack Corporate Networks

Threat actors known as CACTUS orchestrated a sophisticated attack on two companies simultaneously, exploiting...

GTPDOOR – Previously Unknown Linux Malware Attack Telecom Networks

Researchers have discovered a new backdoor named GTPDOOR that targets telecommunication network systems within...

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles