Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Github Workflow Disclosure

By kannthu

Medium
Vidoc logoVidoc Module
#exposure#config
Description

What is the "Github Workflow Disclosure?"

The "Github Workflow Disclosure" module is designed to detect misconfigurations in Github workflows. It targets repositories that use Github Actions for their CI/CD pipelines. This module has a medium severity level and was authored by dhiyaneshDk and geeknik.

Impact

If misconfigurations are present in Github workflows, it can lead to potential security vulnerabilities. Attackers may be able to exploit these misconfigurations to gain unauthorized access, execute arbitrary code, or perform other malicious activities.

How the module works?

The "Github Workflow Disclosure" module works by sending HTTP requests to specific paths in the repository's Github workflows. It then applies matching conditions to identify misconfigurations. The module looks for specific keywords and patterns in the workflow files, such as "on", "jobs", "steps", and "uses". If these keywords are found, it indicates the presence of potential misconfigurations.

For example, the module may send a GET request to paths like "/.github/workflows/ci.yml" or "/.github/workflows/main.yaml". It checks the response status code to ensure the file exists and then applies the matching conditions to analyze the content of the file.

If the module detects the specified keywords and the response status code is 200, it reports a potential misconfiguration. This helps users identify and fix any issues in their Github workflows to enhance the security of their CI/CD pipelines.

For more information, you can refer to the Github Workflow Disclosure module on Github.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/.github/workflows/c.../.github/workflows/c.../.github/workflows/C...(+24 paths)
Matching conditions
regex: (?m)^\s*"?on"?:, (?m)^\s*"?jobs"?:, (?m)...and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability