Tuesday, July 23, 2024

Raven: Open-source CI/CD Pipeline Vulnerability Scanner Tool

Cycode is excited to introduce Raven, a state-of-the-art security scanner for CI/CD pipelines. 

Raven stands for Risk Analysis and Vulnerability Enumeration for CI/CD Pipeline Security, and it is now available as an open-source tool on GitHub. 

This innovative solution will be presented at the upcoming Black Hat Arsenal – SecTor Toronto event.

Raven comes at a time when GitHub Actions are essential for CI/CD, as they enable the automation of everything from code testing to deployment. 

However, these actions also pose a risk of vulnerabilities. That’s why Raven is here.

Raven scans GitHub workflows with precision, dividing them into separate components. 

These components are then stored in a Neo4j database as nodes, with links between them. 

This structure allows for easy scanning and detection of vulnerabilities within workflows.

One of Raven’s key features is its rich knowledge base, which results from more than a year of extensive research by the Cycode team. 

This knowledge base covers a variety of systems, including thousands of projects and multiple configurations. 

Cycode has made Raven an open-source tool to enhance CI/CD security and help the wider development community.

GitHub Actions: Simple on the Surface, Complex Underneath

GitHub Actions are the core automation engine within GitHub, allowing developers to create, test, and deploy code from their repositories. 

These automated processes are specified in YAML files called “workflows,” which define a series of “jobs” and “steps” that are executed. GitHub Actions lets users create custom software development life cycle (SDLC) pipelines without leaving GitHub’s platform.

However, with great power comes great responsibility and, in this case, security challenges. 

Workflows can have various vulnerabilities, from accidental exposure of secrets to code-injection attacks. 

Some vulnerabilities can even compromise build servers or reveal artifacts, creating a serious threat of supply chain attacks that could affect millions. 

Finding these vulnerabilities can be hard, as they may be hidden in the dependencies of a workflow or arise from logical errors that are not easily spotted by conventional methods like regex scans.

Raven’s Novel Approach

Raven solves these complex problems using unique scanning and analysis methods. 

In the diverse environment of GitHub Actions, which involves dependent actions, reusable workflows, user input parameters, and pull requests from forks, Raven reduces the complexity. 

It converts this complex network of interactions into a simple and clear representation of components and their connections within a Neo4j database, providing a clear view of how GitHub Actions work.

Meet Raven: The Three Main Components Explained

Raven is a Python tool that tackles the security issues of GitHub Actions. It has three main components:

1. Download: Raven starts by downloading workflows and their dependencies from GitHub and saving them in a Redis database. 

This phase has two modes: Organization Mode, for securing private organizations, and Crawl Mode, for scanning GitHub repositories with a certain range of star ratings and downloading their workflows and dependencies for analysis. This method has already found many exploits in open-source projects.

2. Index: The indexing phase makes Raven sort the workflows in the Redis database. It makes Python class instances for each component based on its type, then turns them into Neo4j nodes, linking the different workflow components. This indexing process makes finding vulnerabilities easier by allowing simple queries.

3. Report: Raven’s reporting feature is made for security experts. When part of a scheduled task, it can scan daily and send detailed reports to a Slack channel. This active approach ensures that any vulnerabilities are found and fixed quickly, keeping a high level of security. It’s important to say that this feature is now in beta, with more improvements planned.

In Raven’s GitHub repository, you’ll see a library of Cypher queries to find vulnerabilities in Neo4j databases. Cycode’s research team has already used these queries to find some vulnerabilities in public repositories, but there is still more to discover. Raven’s launch as an open-source tool is a big step towards strengthening the security of CI/CD pipelines and supporting the community spirit of collaboration.”

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles