Cycode is happy to introduce Raven, a state-of-the-art safety scanner for CI/CD pipelines.
Raven stands for Danger Evaluation and Vulnerability Enumeration for CI/CD Pipeline Safety, and it’s now obtainable as an open-source instrument on GitHub.
This modern answer will likely be offered on the upcoming Black Hat Arsenal – SecTor Toronto occasion.
Raven comes at a time when GitHub Actions are important for CI/CD, as they allow the automation of every little thing from code testing to deployment.
Nevertheless, these actions additionally pose a threat of vulnerabilities. That’s why Raven is right here.
Raven scans GitHub workflows with precision, dividing them into separate elements.
These elements are then saved in a Neo4j database as nodes, with hyperlinks between them.
This construction permits for straightforward scanning and detection of vulnerabilities inside workflows.
Considered one of Raven’s key options is its wealthy information base, which ends up from greater than a 12 months of in depth analysis by the Cycode staff.
This information base covers a wide range of programs, together with 1000’s of initiatives and a number of configurations.
Cycode has made Raven an open-source instrument to reinforce CI/CD safety and assist the broader growth group.
GitHub Actions: Easy on the Floor, Advanced Beneath
GitHub Actions are the core automation engine inside GitHub, permitting builders to create, check, and deploy code from their repositories.
These automated processes are laid out in YAML information known as “workflows,” which outline a collection of “jobs” and “steps” which might be executed. GitHub Actions lets customers create customized software program growth life cycle (SDLC) pipelines with out leaving GitHub’s platform.
Nevertheless, with nice energy comes nice duty and, on this case, safety challenges.
Workflows can have varied vulnerabilities, from unintentional publicity of secrets and techniques to code-injection assaults.
Some vulnerabilities may even compromise construct servers or reveal artifacts, making a severe risk of provide chain assaults that might have an effect on tens of millions.
Discovering these vulnerabilities may be exhausting, as they might be hidden within the dependencies of a workflow or come up from logical errors that aren’t simply noticed by standard strategies like regex scans.
Raven’s Novel Method
Raven solves these complicated issues utilizing distinctive scanning and evaluation strategies.
Within the various surroundings of GitHub Actions, which includes dependent actions, reusable workflows, person enter parameters, and pull requests from forks, Raven reduces the complexity.
It converts this complicated community of interactions right into a easy and clear illustration of elements and their connections inside a Neo4j database, offering a transparent view of how GitHub Actions work.
Meet Raven: The Three Fundamental Elements Defined
Raven is a Python instrument that tackles the safety problems with GitHub Actions. It has three fundamental elements:
1. Obtain: Raven begins by downloading workflows and their dependencies from GitHub and saving them in a Redis database.
This part has two modes: Group Mode, for securing non-public organizations, and Crawl Mode, for scanning GitHub repositories with a sure vary of star rankings and downloading their workflows and dependencies for evaluation. This methodology has already discovered many exploits in open-source initiatives.
2. Index: The indexing part makes Raven kind the workflows within the Redis database. It makes Python class cases for every element based mostly on its kind, then turns them into Neo4j nodes, linking the completely different workflow elements. This indexing course of makes discovering vulnerabilities simpler by permitting easy queries.
3. Report: Raven’s reporting function is made for safety consultants. When a part of a scheduled process, it will probably scan every day and ship detailed experiences to a Slack channel. This lively strategy ensures that any vulnerabilities are discovered and glued shortly, holding a excessive degree of safety. It’s essential to say that this function is now in beta, with extra enhancements deliberate.
In Raven’s GitHub repository, you’ll see a library of Cypher queries to seek out vulnerabilities in Neo4j databases. Cycode’s analysis staff has already used these queries to seek out some vulnerabilities in public repositories, however there may be nonetheless extra to find. Raven’s launch as an open-source instrument is a giant step in direction of strengthening the safety of CI/CD pipelines and supporting the group spirit of collaboration.”
Shield your self from vulnerabilities utilizing Patch Supervisor Plus to patch over 850 third-party functions shortly. Attempt a free trial to make sure 100% safety.