Detects invisible network exploits in GitHub Actions pins
Project description
WTFork 🤌🤌
Pinning to SHA isn't the silver bullet you think it is.
This tool detects if your GitHub Actions are vulnerable to the Fork Network exploit (a.k.a. "The Invisible Network"), verifying that the commits you pin actually belong to the repositories you trust.
This project is inspired by this Aikido’s write-up on how fork networks work, and how Sai-Hulud was abusing it:
The Fork Awakens: Why GitHub’s invisible networks break package security
🚩 The Problem: "Invisible Networks"
Security best practices tell us to pin GitHub Actions to a full commit SHA (uses: owner/repo@<sha>). The assumption is simple: "If I pin the SHA, I trust code I'm running." Strict immutability usually equals strict trust
That assumption is wrong.
GitHub's architecture creates a loophole. It resolves SHAs across the entire fork network, not just the target repository.
This means uses: owner/repo@<sha> guarantees the code (the SHA), but it does not guarantee the source. A commit might resolve successfully from any fork, even if it never existed in the trusted owner/repo, effectively pulling unreviewed code from an obscure or malicious fork while appearing to come from upstream.
The Worst Case Scenario:
- Your workflow defines:
uses: trusted-owner/action@<sha> - That
<sha>does not exist intrusted-owner/action. - However, GitHub resolves it to a malicious commit in an obscure fork.
- You unknowingly execute
untrusted-owner/action@<sha>from a different owner you never agreed to trust.
🛡️ How WTFork works
wtfork audits your repository’s GitHub Actions workflow files to validate that every referenced SHA is legitimate.
It scans:
.github/workflows/*.yml.github/workflows/*.yaml
For every uses: owner/repo@<sha> found, wtfork performs a sanity check: Does this commit actually live inside owner/repo?
If the SHA is missing from the origin repo (but resolving due to the fork network quirk), wtfork flags it immediately so you can fix the pin before it becomes a supply-chain attack vector.
🚀 Usage
📦 Installation
Install wtfork directly from PyPI:
pip install wtfork
🤖 GitHub Actions Integration (Recommended)
The most effective way to use wtfork is to run it automatically in your CI/CD pipeline. This blocks any Pull Request that introduces a vulnerable pin.
Create a file named .github/workflows/wtfork-scan.yml:
name: WTFork Security Scan 🤌
on: [push, pull_request]
jobs:
wtfork_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install WTFork
run: pip install wtfork
- name: Run Scan
run: wtfork
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
💻 Running Locally
To run wtfork locally, you must provide a GitHub Token (GITHUB_TOKEN) so the tool can query the API. The token needs repo scope (for private repos) or public access (for public repos).
1. Set the token:
- Linux / macOS:
export GITHUB_TOKEN=your_personal_access_token
- Windows (PowerShell):
$env:GITHUB_TOKEN="your_personal_access_token"
2. Run the tool:
# Run with default settings (scans .github/workflows against all refs)
wtfork
# Run on a specific directory
wtfork --path ./my-project/.github/workflows
⚙️ CLI Arguments & Configuration
wtfork [--path PATH] [--mode MODE]
| Argument | Default | Description |
|---|---|---|
--path |
.github/workflows |
Path to the directory containing your .yml or .yaml workflow files. |
--mode |
all |
Comparison Strategy: • default: Checks if the SHA exists in the repo's default branch (Fastest, but more relaxed).• tags: Checks if the SHA belongs to any tag.• branches: Checks if the SHA belongs to any branch.• all: Checks everywhere (Safest, but slightly slower). |
Examples:
# Fast check: Only allow SHAs that are present on the default branch (e.g., main/master)
wtfork --mode default
# Comprehensive check: Allow SHAs if they exist anywhere (tags or branches)
wtfork --mode all
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file wtfork-1.0.2.tar.gz.
File metadata
- Download URL: wtfork-1.0.2.tar.gz
- Upload date:
- Size: 5.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ddefca89633ab6e44df6368df4594939db662a227e7a043d8a7f561e9b2b178b
|
|
| MD5 |
9801adea01a228535576a01cee742952
|
|
| BLAKE2b-256 |
69fca830ff011a519faa45f895792024512ed5620a3e2d1271684dbf6cf1a1e3
|
File details
Details for the file wtfork-1.0.2-py3-none-any.whl.
File metadata
- Download URL: wtfork-1.0.2-py3-none-any.whl
- Upload date:
- Size: 5.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a784480a9fc2a08e184057b9c37e3b9119f2206216c660929d48bfdd29d708a1
|
|
| MD5 |
cb11aefaa5eabf71f8fa6b1aac7224c1
|
|
| BLAKE2b-256 |
5538ecef39db599f3dc5836f53bc1fb64593d5d84991bbedd0cee4ebcc75ccae
|
