README
¶
oshka
oshka【oʊʃkə】is a tool for extracting nested CI/CD supply chains and executing commands.
Concept
Security checks should be performed not only on the source code of the repository but also on the code of the third-party actions of GitHub Actions and Docker images that compose the CI/CD.
The primary purpose of oshka is for the continuous security check of the nested CI/CD supply chains ( So the default execution --command is trivy fs --exit-code 1 . ).
Because most tools can be run on the filesystem, oshka has a strategy of deploying the supply chains in temporary directories.
Behavior
- Analyze the nested supply chains that compose the CI/CD
- Detect repositories of third-party actions.
- Detect docker images.
- Extract the resources of supply chains to local temporary directory.
- Execute any commands to the extracted resources.
Usage
Scan local filesystem and supply chains for vulnerabilities using Trivy
( The default execution --command is trivy fs --exit-code 1 . )
$ oshka run fs .
Result
$ oshka run fs .
2021-08-31T20:40:24+09:00 [INFO] Create temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/
2021-08-31T20:40:24+09:00 [INFO] Extract local . to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2
2021-08-31T20:40:25+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2
2021-08-31T20:40:25.362+0900 INFO Using your github token
2021-08-31T20:40:25.540+0900 INFO Number of language-specific files: 5
2021-08-31T20:40:25.540+0900 INFO Detecting gobinary vulnerabilities...
2021-08-31T20:40:25.542+0900 INFO Detecting gomod vulnerabilities...
dist/goreleaserdocker077582362/oshka (gobinary)
===============================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760 | MEDIUM | v1.5.3 | v1.4.8, v1.5.4 | containerd: pulling and |
| | | | | | extracting crafted container |
| | | | | | image may result in Unix file... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
dist/oshka-darwin-windows_darwin_amd64/oshka (gobinary)
=======================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760 | MEDIUM | v1.5.3 | v1.4.8, v1.5.4 | containerd: pulling and |
| | | | | | extracting crafted container |
| | | | | | image may result in Unix file... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
dist/oshka-darwin-windows_windows_amd64/oshka.exe (gobinary)
============================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760 | MEDIUM | v1.5.3 | v1.4.8, v1.5.4 | containerd: pulling and |
| | | | | | extracting crafted container |
| | | | | | image may result in Unix file... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
dist/oshka-linux_linux_amd64/oshka (gobinary)
=============================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760 | MEDIUM | v1.5.3 | v1.4.8, v1.5.4 | containerd: pulling and |
| | | | | | extracting crafted container |
| | | | | | image may result in Unix file... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
go.sum (gomod)
==============
Total: 18 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 8, CRITICAL: 0)
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/apache/thrift | CVE-2019-0205 | HIGH | 0.12.0 | 0.13.0 | thrift: Endless loop when |
| | | | | | feed with specific input data |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0205 |
+ +------------------+ + + +-----------------------------------------+
| | CVE-2019-0210 | | | | thrift: Out-of-bounds read |
| | | | | | related to TJSONProtocol |
| | | | | | or TSimpleJSONProtocol |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0210 |
+ +------------------+ + +---------------------------------------+-----------------------------------------+
| | CVE-2020-13949 | | | v0.14.0 | libthrift: potential DoS when |
| | | | | | processing untrusted payloads |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13949 |
+------------------------------------+------------------+ +-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/buger/jsonparser | CVE-2020-10675 | | 0.0.0-20180808090653-f4dd9f5a6b44 | v0.0.0-20200321185410-91ac96899e49 | golang-github-buger-jsonparser: |
| | | | | | infinite loop via a Delete call |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-10675 |
+ +------------------+ + +---------------------------------------+-----------------------------------------+
| | CVE-2020-35381 | | | v1.1.1 | jsonparser: GET call can lead to |
| | | | | | a slice bounds out of range... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-35381 |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760 | MEDIUM | 1.5.3 | v1.4.8, v1.5.4 | containerd: pulling and |
| | | | | | extracting crafted container |
| | | | | | image may result in Unix file... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32760 |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | 3.2.0+incompatible | | jwt-go: access restriction |
| | | | | | bypass vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/gorilla/handlers | GO-2020-0020 | UNKNOWN | 0.0.0-20150720190736-60c7bfde3e33 | v1.3.0 | |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/miekg/dns | CVE-2019-19794 | MEDIUM | 1.0.14 | v1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable |
| | | | | | TXID can lead to response forgeries |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19794 |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/sassoftware/go-rpmutils | CVE-2020-7667 | HIGH | 0.0.0-20190420191620-a8f1baeba37b | v0.1.0 | In package |
| | | | | | github.com/sassoftware/go-rpmutils/cpio |
| | | | | | before version 0.1.0, the |
| | | | | | CPIO extraction functionality |
| | | | | | doesn't sanitize... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7667 |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/satori/go.uuid | GO-2020-0018 | UNKNOWN | 1.2.0 | v1.2.1-0.20181016170032-d91630c85102 | |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| github.com/ulikunitz/xz | CVE-2021-29482 | HIGH | 0.5.7 | v0.5.8 | ulikunitz/xz: Infinite |
| | | | | | loop in readUvarint allows |
| | | | | | for denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-29482 |
+ +------------------+----------+ + +-----------------------------------------+
| | GO-2020-0016 | UNKNOWN | | | |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
| k8s.io/kubernetes | CVE-2019-1002101 | MEDIUM | 1.13.0 | 1.11.9, 1.12.7, 1.13.5, | kubernetes: Mishandling of |
| | | | | 1.14.1-beta.0 | symlinks allows for arbitrary |
| | | | | | file write via `kubectl cp`... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1002101 |
+ +------------------+ + +---------------------------------------+-----------------------------------------+
| | CVE-2019-11250 | | | v1.16.0-beta.1 | kubernetes: Bearer tokens |
| | | | | | written to logs at high |
| | | | | | verbosity levels (>= 7)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-11250 |
+ +------------------+ + +---------------------------------------+-----------------------------------------+
| | CVE-2020-8554 | | | | kubernetes: MITM using |
| | | | | | LoadBalancer or ExternalIPs |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8554 |
+ +------------------+ + +---------------------------------------+-----------------------------------------+
| | CVE-2020-8564 | | | v1.20.0-alpha.1 | kubernetes: Docker config |
| | | | | | secrets leaked when file is |
| | | | | | malformed and loglevel >=... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8564 |
+ +------------------+ + +---------------------------------------+-----------------------------------------+
| | CVE-2020-8565 | | | v1.20.0-alpha.2 | kubernetes: Incomplete fix |
| | | | | | for CVE-2019-11250 allows for |
| | | | | | token leak in logs when... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8565 |
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+
2021-08-31T20:40:25+09:00 [INFO] Detect action actions/setup-go@v2 from /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2
2021-08-31T20:40:25+09:00 [INFO] Detect action actions/checkout@v2 from /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2
2021-08-31T20:40:25+09:00 [INFO] Detect action golangci/golangci-lint-action@v2 from /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/local-cdb4ee2
2021-08-31T20:40:25+09:00 [INFO] Extract action actions/setup-go@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/setup-go@v2
Enumerating objects: 1035, done.
Counting objects: 100% (31/31), done.
Compressing objects: 100% (29/29), done.
Total 1035 (delta 12), reused 8 (delta 0), pack-reused 1004
2021-08-31T20:40:26+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/setup-go@v2
2021-08-31T20:40:26.931+0900 INFO Using your github token
2021-08-31T20:40:26.988+0900 INFO Number of language-specific files: 1
2021-08-31T20:40:26.988+0900 INFO Detecting npm vulnerabilities...
package-lock.json (npm)
=======================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
2021-08-31T20:40:26+09:00 [INFO] Extract action actions/checkout@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/checkout@v2
Enumerating objects: 997, done.
Counting objects: 100% (28/28), done.
Compressing objects: 100% (21/21), done.
Total 997 (delta 11), reused 11 (delta 6), pack-reused 969
2021-08-31T20:40:29+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/checkout@v2
2021-08-31T20:40:29.201+0900 INFO Using your github token
2021-08-31T20:40:29.261+0900 INFO Number of language-specific files: 1
2021-08-31T20:40:29.261+0900 INFO Detecting npm vulnerabilities...
package-lock.json (npm)
=======================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)
+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+
| @actions/core | CVE-2020-15228 | MEDIUM | 1.1.3 | 1.2.6 | Environment Variable |
| | | | | | Injection in GitHub Actions |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15228 |
+---------------+------------------+ +-------------------+---------------------+---------------------------------------+
| node-fetch | CVE-2020-15168 | | 2.6.0 | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after |
| | | | | | fetch() JS thread leads to DoS |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15168 |
+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+
| underscore | CVE-2021-23358 | HIGH | 1.8.3 | 1.12.1 | nodejs-underscore: Arbitrary code |
| | | | | | execution via the template function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23358 |
+---------------+------------------+----------+-------------------+---------------------+---------------------------------------+
2021-08-31T20:40:29+09:00 [INFO] Extract action golangci/golangci-lint-action@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/golangci/golangci-lint-action@v2
Enumerating objects: 1342, done.
Counting objects: 100% (431/431), done.
Compressing objects: 100% (241/241), done.
Total 1342 (delta 329), reused 268 (delta 188), pack-reused 911
2021-08-31T20:40:31+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/golangci/golangci-lint-action@v2
2021-08-31T20:40:31.226+0900 INFO Using your github token
2021-08-31T20:40:31.281+0900 INFO Number of language-specific files: 2
2021-08-31T20:40:31.281+0900 INFO Detecting npm vulnerabilities...
2021-08-31T20:40:31.282+0900 INFO Detecting gomod vulnerabilities...
package-lock.json (npm)
=======================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
sample-go-mod/go.sum (gomod)
============================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)
+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+
| github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | 3.2.0+incompatible | | jwt-go: access restriction |
| | | | | | bypass vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 |
+-----------------------------+------------------+ +-----------------------------------+---------------------------------------+---------------------------------------+
| github.com/gogo/protobuf | CVE-2021-3121 | | 1.2.1 | v1.3.2 | gogo/protobuf: |
| | | | | | plugin/unmarshal/unmarshal.go |
| | | | | | lacks certain index validation |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3121 |
+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+
| github.com/miekg/dns | CVE-2019-19794 | MEDIUM | 1.0.14 | v1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable |
| | | | | | TXID can lead to response forgeries |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19794 |
+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652 | HIGH | 0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted |
| | | | | | authentication request can |
| | | | | | lead to nil pointer dereference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |
+-----------------------------+------------------+----------+-----------------------------------+---------------------------------------+---------------------------------------+
2021-08-31T20:40:31+09:00 [INFO] Cleanup temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/
Run results
===========
+----------------------------------+--------+--------------------------+-----------+-------+------------------------------------------------------------------+
| NAME | TYPE | COMMAND | EXIT CODE | DEPTH | HASH |
+----------------------------------+--------+--------------------------+-----------+-------+------------------------------------------------------------------+
| . | local | trivy fs --exit-code 1 . | 1 | 0 | 264b356a52a13e300b4635cf54b490e970e2ec0816678bbd81be62f5ad1f147d |
| | | | | | (dir hash) |
| actions/setup-go@v2 | action | trivy fs --exit-code 1 . | 0 | 1 | 331ce1d993939866bb63c32c6cbbfd48fa76fc57 (commit hash) |
| actions/checkout@v2 | action | trivy fs --exit-code 1 . | 1 | 1 | 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f (commit hash) |
| golangci/golangci-lint-action@v2 | action | trivy fs --exit-code 1 . | 1 | 1 | 5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 (commit hash) |
+----------------------------------+--------+--------------------------+-----------+-------+------------------------------------------------------------------+
$
Scan remote Git repository and supply chains for vulnerabilities using Trivy
$ oshka run repo github.com/rails/rails
Result
$ oshka run repo github.com/cli/cli
2021-08-31T00:46:39+09:00 [INFO] Create temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/
2021-08-31T00:46:39+09:00 [INFO] Extract repo github.com/cli/cli to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/github.com/cli/cli
Enumerating objects: 26086, done.
Counting objects: 100% (743/743), done.
Compressing objects: 100% (579/579), done.
Total 26086 (delta 256), reused 412 (delta 160), pack-reused 25343
2021-08-31T00:46:46+09:00 [INFO] Run `trivy fs --exit-code 1 .` on /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/github.com/cli/cli
2021-08-31T00:46:47.049+0900 INFO Using your github token
2021-08-31T00:46:47.130+0900 INFO Number of language-specific files: 1
2021-08-31T00:46:47.130+0900 INFO Detecting gomod vulnerabilities...
[...]
2021-08-31T00:48:05+09:00 [INFO] Cleanup temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/
Run results
===========
+-------------------------+--------+--------------------------+-----------+-------+------------------------------------------+
| NAME | TYPE | COMMAND | EXIT CODE | DEPTH | HASH |
+-------------------------+--------+--------------------------+-----------+-------+------------------------------------------+
| github.com/rails/rails | repo | trivy fs --exit-code 1 . | 1 | 0 | c236ff686c6fa987924b8eefeec93c2abcc07843 |
| | | | | | (commit hash) |
| actions/checkout@v2 | action | trivy fs --exit-code 1 . | 1 | 1 | 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f |
| | | | | | (commit hash) |
| actions/setup-python@v2 | action | trivy fs --exit-code 1 . | 0 | 1 | dc73133d4da04e56a135ae2246682783cc7c7cb6 |
| | | | | | (commit hash) |
| ruby/setup-ruby@v1 | action | trivy fs --exit-code 1 . | 1 | 1 | dbac26120bf2cab885aa98ecb4d22838ae969776 |
| | | | | | (commit hash) |
| actions/cache@v1 | action | trivy fs --exit-code 1 . | 1 | 1 | 70655ec8323daeeaa7ef06d7c56e1b9191396cbe |
| | | | | | (commit hash) |
+-------------------------+--------+--------------------------+-----------+-------+------------------------------------------+
$
Scan action of GitHub Actions and supply chains for vulnerabilities using Trivy
$ oshka run action actions/cache@v2
Result
$ oshka run action actions/cache@v2
2021-08-18T02:17:18+09:00 [INFO] Create temporary directory for extracting supply chains: /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/
2021-08-18T02:17:18+09:00 [INFO] Extract action actions/cache@v2 to /var/folders/fp/hk95_wsj7s18mmc9drvrxdp1tt294n/T/actions/cache@v2
[...]
Run results
===========
+-----------------------------------+--------+--------------------------+-----------+-------+-------------------------------------------------------------------------+
| NAME | TYPE | COMMAND | EXIT CODE | DEPTH | HASH |
+-----------------------------------+--------+--------------------------+-----------+-------+-------------------------------------------------------------------------+
| actions/cache@v2 | action | trivy fs --exit-code 1 . | 0 | 0, 1 | c64c572235d810460d0d6876e9c705ad5002b353 |
| | | | | | (commit hash) |
| actions/checkout@v2 | action | trivy fs --exit-code 1 . | 1 | 1 | 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f |
| | | | | | (commit hash) |
| github/codeql-action/init@v1 | action | trivy fs --exit-code 1 . | 1 | 1 | 33f3438c1d59883f5e769fdf2b6adb6794d91d0f |
| | | | | | (commit hash) |
| github/codeql-action/autobuild@v1 | action | trivy fs --exit-code 1 . | 1 | 1 | 33f3438c1d59883f5e769fdf2b6adb6794d91d0f |
| | | | | | (commit hash) |
| github/codeql-action/analyze@v1 | action | trivy fs --exit-code 1 . | 1 | 1 | 33f3438c1d59883f5e769fdf2b6adb6794d91d0f |
| | | | | | (commit hash) |
| actions/setup-node@v1 | action | trivy fs --exit-code 1 . | 1 | 1 | f1f314fca9dfce2769ece7d933488f076716723e |
| | | | | | (commit hash) |
| ubuntu:latest | image | trivy fs --exit-code 1 . | 1 | 1 | sha256:10cbddb6cf8568f56584ccb6c866203e68ab8e621bb87038e254f6f27f955bbe |
| | | | | | (digest) |
| datadog/squid:latest | image | trivy fs --exit-code 1 . | 1 | 1 | sha256:f7d19d5e3f4163771291d91de393ce667f2327a3e080c39b9b7ea9e19f91488f |
| | | | | | (digest) |
+-----------------------------------+--------+--------------------------+-----------+-------+-------------------------------------------------------------------------+
$
Scan more deep supply chains
$ oshka run fs . --depth 3
Supported supply chains
- GitHub Actions
- Workflow file (ex.
.github/workflows/*.yml) - Action file (ex.
action.yml)- When using Dockerfile, require
dockerfor building image.
- When using Dockerfile, require
- Workflow file (ex.
- Docker image
Install
deb:
Use dpkg-i-from-url
$ export OSHKA_VERSION=X.X.X
$ curl -L https://git.io/dpkg-i-from-url | bash -s -- https://github.com/k1LoW/oshka/releases/download/v$OSHKA_VERSION/oshka_$OSHKA_VERSION-1_amd64.deb
RPM:
$ export OSHKA_VERSION=X.X.X
$ yum install https://github.com/k1LoW/oshka/releases/download/v$OSHKA_VERSION/oshka_$OSHKA_VERSION-1_amd64.rpm
apk:
Use apk-add-from-url
$ export OSHKA_VERSION=X.X.X
$ curl -L https://git.io/apk-add-from-url | sh -s -- https://github.com/k1LoW/oshka/releases/download/v$OSHKA_VERSION/oshka_$OSHKA_VERSION-1_amd64.apk
homebrew tap:
$ brew install k1LoW/tap/oshka
manually:
Download binary from releases page
go get:
$ go get github.com/k1LoW/oshka
docker:
$ docker pull ghcr.io/k1low/oshka:latest
References
- aquasecurity/trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
- Security hardening for GitHub Actions: "Using third-party actions"
Documentation
¶
Overview ¶
Copyright © 2021 Ken'ichiro Oyama <k1lowxb@gmail.com>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.