CI/CD Leak Scanner is a security tool designed to scan build logs from CI/CD pipelines to identify leaks of sensitive data, tokens, or credentials.
Due to the recent malicious actions involving tj-actions/changed-files, we've created this tool to empower security teams to proactively scan and determine if their CI/CD pipelines have been compromised.
- Sensitive Data Detection: Quickly identifies leaked secrets, tokens, and credentials in build logs.
- Configurable Rules: Customize the scanner to detect specific patterns or keywords.
- Reporting: Generates a detailed report with the list of leaks found in the build logs.
git clone https://github.com/CycodeLabs/cicd-leak-scanner.git
cd cicd-leak-scanner
go build -o cicd-leak-scanner .In some cases (e.g., building in a minimal Docker environment or a platform without CGO support), specify CGO_ENABLED=0:
CGO_ENABLED=0 go build -o cicd-leak-scanner .Scan public build logs:
./cicd-leak-scanner -t $GITHUB_TOKENScan Specific Organization:
./cicd-leak-scanner -t $GITHUB_TOKEN -o organizationScan Specific Repository:
./cicd-leak-scanner -t $GITHUB_TOKEN -r orgName/repoNameThe scanner uses a configuration file to define the rules for detecting leaks. The configuration file is located at config.yaml and can be customized to detect specific patterns or keywords.
scanner:
workflow-runs-to-scan: 3
output:
method: file
filename: output.json
rules:
- name: Detect base64 secrets leaked by tj-actions/changed-files
query: tj-actions/changed-files language:yaml path:.github/workflows
regex: >
##\[group\]changed-files\s*\r?\n\d{4}-\d{2}-\d{2}T[\d:.]+Z\s+([A-Za-z0-9+/=]+)
decoders:
- id: base64_decode
repeat: 2Contributions are welcome! Please open a pull request or an issue if you'd like to suggest improvements or report bugs.
- GitHub API Limit: GitHub's search and workflow run APIs return a maximum of
1000results per query.