Cycode is excited to introduce Raven, a state-of-the-art security scanner for CI/CD pipelines.
Raven stands for Risk Analysis and Vulnerability Enumeration for CI/CD Pipeline Security, and it is now available as an open-source tool on GitHub.
This innovative solution will be presented at the upcoming Black Hat Arsenal – SecTor Toronto event.
Raven comes at a time when GitHub Actions are essential for CI/CD, as they enable the automation of everything from code testing to deployment.
However, these actions also pose a risk of vulnerabilities. That’s why Raven is here.
Raven scans GitHub workflows with precision, dividing them into separate components.
These components are then stored in a Neo4j database as nodes, with links between them.
This structure allows for easy scanning and detection of vulnerabilities within workflows.
One of Raven’s key features is its rich knowledge base, which results from more than a year of extensive research by the Cycode team.
This knowledge base covers a variety of systems, including thousands of projects and multiple configurations.
Cycode has made Raven an open-source tool to enhance CI/CD security and help the wider development community.
GitHub Actions: Simple on the Surface, Complex Underneath
GitHub Actions are the core automation engine within GitHub, allowing developers to create, test, and deploy code from their repositories.
These automated processes are specified in YAML files called “workflows,” which define a series of “jobs” and “steps” that are executed. GitHub Actions lets users create custom software development life cycle (SDLC) pipelines without leaving GitHub’s platform.
However, with great power comes great responsibility and, in this case, security challenges.
Workflows can have various vulnerabilities, from accidental exposure of secrets to code-injection attacks.
Some vulnerabilities can even compromise build servers or reveal artifacts, creating a serious threat of supply chain attacks that could affect millions.
Finding these vulnerabilities can be hard, as they may be hidden in the dependencies of a workflow or arise from logical errors that are not easily spotted by conventional methods like regex scans.
Raven’s Novel Approach
Raven solves these complex problems using unique scanning and analysis methods.
In the diverse environment of GitHub Actions, which involves dependent actions, reusable workflows, user input parameters, and pull requests from forks, Raven reduces the complexity.
It converts this complex network of interactions into a simple and clear representation of components and their connections within a Neo4j database, providing a clear view of how GitHub Actions work.
Meet Raven: The Three Main Components Explained
Raven is a Python tool that tackles the security issues of GitHub Actions. It has three main components:
1. Download: Raven starts by downloading workflows and their dependencies from GitHub and saving them in a Redis database.
This phase has two modes: Organization Mode, for securing private organizations, and Crawl Mode, for scanning GitHub repositories with a certain range of star ratings and downloading their workflows and dependencies for analysis. This method has already found many exploits in open-source projects.
2. Index: The indexing phase makes Raven sort the workflows in the Redis database. It makes Python class instances for each component based on its type, then turns them into Neo4j nodes, linking the different workflow components. This indexing process makes finding vulnerabilities easier by allowing simple queries.
3. Report: Raven’s reporting feature is made for security experts. When part of a scheduled task, it can scan daily and send detailed reports to a Slack channel. This active approach ensures that any vulnerabilities are found and fixed quickly, keeping a high level of security. It’s important to say that this feature is now in beta, with more improvements planned.
In Raven’s GitHub repository, you’ll see a library of Cypher queries to find vulnerabilities in Neo4j databases. Cycode’s research team has already used these queries to find some vulnerabilities in public repositories, but there is still more to discover. Raven’s launch as an open-source tool is a big step towards strengthening the security of CI/CD pipelines and supporting the community spirit of collaboration.”
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.