Map the AWS blast radius of GitHub Actions workflows
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
ActionScope
Map the AWS blast radius of your GitHub Actions workflows.
ActionScope reads your .github/workflows/ files, Terraform IAM resources,
and inline JSON IAM policies, then tells you โ in plain English โ what your
CI/CD pipelines can actually do to your AWS environment.
It answers the question no other tool answers: "If this workflow is compromised, what can an attacker do in AWS?"
Install
pip install actionscope
Quick Start
actionscope scan .
Example Output
ActionScope โ Blast Radius Report
Path: /my-repo | Workflows: 2 | Overall Risk: ๐ด CRITICAL
deploy.yml โ deploy โ Configure AWS credentials
AWS Role: arn:aws:iam::123456789012:role/github-deploy-role
Auth: OIDC โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโ
โ Action โ Access Level โ Risk โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโค
โ iam:PassRole โ Permissions mgmt โ ๐ด CRIT โ
โ ec2:TerminateInstances โ Write โ ๐ HIGH โ
โ s3:GetObject โ Read โ ๐ข LOW โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโ
โ ๏ธ iam:PassRole on * โ privilege escalation path exists
Use as a GitHub Action
- uses: r12habh/ActionScope@v0
with:
fail-on: high
comment-pr: true
How It Works
ActionScope performs static analysis only โ it never sends your code to any external service.
- Finds all
.github/workflows/*.ymlfiles - Extracts AWS role ARNs and GITHUB_TOKEN permission declarations
- Finds matching IAM policies in Terraform or JSON files in your repo
- Classifies each IAM action by risk using the policy-sentry database
- Outputs a plain-English blast radius report
What If My Policies Aren't in the Repo?
โน๏ธ Policy not found in repo for role: arn:aws:iam::123456:role/ci-deploy
๐ก Run with --aws-verify to fetch live policies from AWS (coming in v1.0)
In v1.0, --aws-verify will use read-only AWS API calls to fetch the real
attached policies for any role ARN found in your workflows.
Public Research
ActionScope includes a reproducible public-data research scaffold for analyzing
workflow-level AWS security patterns across public GitHub repositories. See
research/ for the scanner, methodology, and anonymized findings
template.
Built By
Rishabh Singh โ AWS Security Engineer. GitHub
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file actionscope-0.1.0.tar.gz.
File metadata
- Download URL: actionscope-0.1.0.tar.gz
- Upload date:
- Size: 40.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8f03b58bcb8361fbac67583dae4f43bf6810fcab1b1ee0647c0000075ff69561
|
|
| MD5 |
d0695749f8712832cd07be64fed163a8
|
|
| BLAKE2b-256 |
33643e2fb230d8d0a96eea96f7e1769e8dbfc6aea159dd2347989f4f4645c5cd
|
Provenance
The following attestation bundles were made for actionscope-0.1.0.tar.gz:
Publisher:
release.yml on r12habh/ActionScope
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
actionscope-0.1.0.tar.gz -
Subject digest:
8f03b58bcb8361fbac67583dae4f43bf6810fcab1b1ee0647c0000075ff69561 - Sigstore transparency entry: 1552915116
- Sigstore integration time:
-
Permalink:
r12habh/ActionScope@235a93d247889fecd6357414eb6be2e1fc1dcdce -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/r12habh
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@235a93d247889fecd6357414eb6be2e1fc1dcdce -
Trigger Event:
push
-
Statement type:
File details
Details for the file actionscope-0.1.0-py3-none-any.whl.
File metadata
- Download URL: actionscope-0.1.0-py3-none-any.whl
- Upload date:
- Size: 36.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
483848ebbe1e5186576925c2212466a07c32f0e163d8f49c82986b599de5bbee
|
|
| MD5 |
34279184911351474a2d080ef22d5f68
|
|
| BLAKE2b-256 |
5e161f1ff194f105928179b6a9120ae78bd3850a088332fe47c43219246a2c47
|
Provenance
The following attestation bundles were made for actionscope-0.1.0-py3-none-any.whl:
Publisher:
release.yml on r12habh/ActionScope
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
actionscope-0.1.0-py3-none-any.whl -
Subject digest:
483848ebbe1e5186576925c2212466a07c32f0e163d8f49c82986b599de5bbee - Sigstore transparency entry: 1552915125
- Sigstore integration time:
-
Permalink:
r12habh/ActionScope@235a93d247889fecd6357414eb6be2e1fc1dcdce -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/r12habh
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@235a93d247889fecd6357414eb6be2e1fc1dcdce -
Trigger Event:
push
-
Statement type:
