GitHub Actions vulnerability scanner for PwnRequest attacks

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mulliken from gravatar.com mulliken

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Katie Mulliken
  • Tags actions , github , scanner , security , vulnerability
  • Requires: Python >=3.11
  • Provides-Extra: all , dev , ldap
Classifiers
Report project as malware

Project description

= GitHub Actions PwnRequest Vulnerability Scanner

A toolkit for detecting GitHub Actions workflows vulnerable to the https://securitylab.github.com/research/github-actions-preventing-pwn-requests/[PwnRequest] attack pattern — where `pull_request_target` workflows check out and execute untrusted PR code, allowing secret exfiltration.

CAUTION: Use findings responsibly and follow responsible disclosure practices.

== Installation

[source,bash]
----
uv tool install git+https://github.com/SecKatie/actions-scanner.git
----

== Usage

[source,bash]
----
# Scan an org, repo URL, local directory, or list file (default format: csv)
actions-scanner scan your-org -o results.csv

# Validate findings with AI-assisted confirmation (accepts csv or json)
actions-scanner validate results.csv

# Export to markdown
actions-scanner report results.csv -o report.md --format markdown
----

== What It Detects

The scanner flags workflows where all three conditions exist in the same job:

1. **Trigger:** `pull_request_target` (runs with write permissions and secrets)
2. **Checkout:** Untrusted PR ref (`head.sha`, `head.ref`, `merge_commit_sha`, `github.head_ref`)
3. **Execution:** Build commands (`npm install`, `make`, `pip install`, `docker build`, etc.) or local actions (`./action`)

== Development

**Prerequisites:** Python 3.11+, https://github.com/astral-sh/uv[uv], `gh` CLI (authenticated), `git`

[source,bash]
----
git clone https://github.com/SecKatie/actions-scanner.git && cd actions-scanner
uv sync
uv run pytest tests/ -v
----

=== Environment Variables

[cols="1,2"]
|===
|Variable |Description

|`GITHUB_TOKEN`
|GitHub personal access token (required for org scanning)
|===

== References

* https://securitylab.github.com/research/github-actions-preventing-pwn-requests/[GitHub Security Lab: Preventing pwn requests]
* https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions[GitHub Docs: Security hardening for GitHub Actions]

== License

Internal use only.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for mulliken from gravatar.com mulliken

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Katie Mulliken
  • Tags actions , github , scanner , security , vulnerability
  • Requires: Python >=3.11
  • Provides-Extra: all , dev , ldap
Classifiers

Release history Release notifications | RSS feed

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

actions_scanner-1.0.0.tar.gz (74.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

actions_scanner-1.0.0-py3-none-any.whl (70.4 kB view details)

Uploaded Python 3

File details

Details for the file actions_scanner-1.0.0.tar.gz.

File metadata

  • Download URL: actions_scanner-1.0.0.tar.gz
  • Upload date:
  • Size: 74.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for actions_scanner-1.0.0.tar.gz
Algorithm Hash digest
SHA256 92eab9943f837f7348e8f7c5206ca9ab4e5332019e40777a2cad0a177df3bae4
MD5 001ea07e21e2a71b59ad11041ab10bef
BLAKE2b-256 d2518cea8b72b09fcee21eb5ae4b80e7aa5dbd88141341d0aeace7c91ab1471c

See more details on using hashes here.

Provenance

The following attestation bundles were made for actions_scanner-1.0.0.tar.gz:

Publisher: publish.yml on SecKatie/actions-scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file actions_scanner-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for actions_scanner-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c59d125063fed971f5f5d88bf0872b74737605ade9057f8e7bdd8af74bc5724e
MD5 5aae8050bd4c0af778893d1ffd5fed72
BLAKE2b-256 b9982d62a8c850f33f8465759316b3e5ae1be53d343842845bd3a454cd9a0c32

See more details on using hashes here.

Provenance

The following attestation bundles were made for actions_scanner-1.0.0-py3-none-any.whl:

Publisher: publish.yml on SecKatie/actions-scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page