Skip to main content

GitHub Actions job pack for Tessera: lint workflows for security and hygiene.

Project description

tesserakit-gha

Lint GitHub Actions workflows for security and hygiene.

tessera-gha parses .github/workflows/*.yml, inventories jobs/steps/actions, and flags the workflow mistakes that lead to supply-chain and injection incidents. It reads YAML only; it never runs a workflow.

Lint

tessera gha lint --input . --output ./out/gha_pack

Point it at a repo root (it finds .github/workflows/), a workflows directory, or a single workflow file.

Artifacts written:

items.jsonl              one WorkflowItem per step (uses/run, pin status, injection flag)
workflows.jsonl          per-workflow facts (triggers, jobs, permissions/timeout gaps)
index.md                 workflow + action inventory
validation_report.md     security + hygiene findings
coverage_report.md       actions used, run vs uses counts

Findings

  • pull_request_target_checkout_rce (error) — a privileged trigger (pull_request_target/workflow_run) and a checkout of PR-controlled code (ref: ${{ github.event.pull_request.head.sha }} etc.); the classic CI remote-code-execution combo
  • script_injection_risk (error) — a run: script interpolates an untrusted github.event.* field (title/body/branch); use an intermediate env: var
  • unpinned_action (warning) — a third-party action isn't pinned to a commit SHA (tags are mutable)
  • persist_credentials (warning) — a checkout keeps the GITHUB_TOKEN on disk (persist-credentials not disabled)
  • write_all_permissions (warning) — permissions: write-all or broadly-write scopes
  • risky_trigger (warning) — pull_request_target / workflow_run run with secrets on untrusted input
  • missing_permissions (info) — no explicit permissions:; jobs get broad default scopes
  • missing_timeout (info) — a job has no timeout-minutes
  • parse_error, no_workflows

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tesserakit_gha-0.4.0.tar.gz (7.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tesserakit_gha-0.4.0-py3-none-any.whl (9.4 kB view details)

Uploaded Python 3

File details

Details for the file tesserakit_gha-0.4.0.tar.gz.

File metadata

  • Download URL: tesserakit_gha-0.4.0.tar.gz
  • Upload date:
  • Size: 7.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.11

File hashes

Hashes for tesserakit_gha-0.4.0.tar.gz
Algorithm Hash digest
SHA256 183f8c286962651ce08715ad5c07b35367220c884d791ba357e4cdab19686a27
MD5 a91f39196dc5767c1e36096b2c304642
BLAKE2b-256 7ef43c33c5740dbf66ae1488ab29922a790e72dd7ab8cb1267d84528d285fb37

See more details on using hashes here.

File details

Details for the file tesserakit_gha-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: tesserakit_gha-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 9.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.11

File hashes

Hashes for tesserakit_gha-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c2747be44cf77663fe5d4d0be8bf3c66157b8c53fe9f62d18d85f7c160800470
MD5 24df91a7b5adc922f68d8f75f8ff3762
BLAKE2b-256 2d7efab2b06dcbc1fb8293db975af2b3d9d3f4b99cc2cb77a0f0c3267f243888

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page