enhancement: github-actions analysis #1055
Description
Is there interest in performing analysis of GitHub Actions implementations, e.g. pkg:githubactions/actions/checkout@v4.1.6?
I'm interested in the same outputs: files/networks/executables the action performs as it's executing.
I'm uniquely interested in writes to the $GITHUB_ENV path (e.g. if an action modifies the PATH variable).
The system could use https://github.com/nektos/act to provide an Actions-compatible sandbox to run on any compute.
The system could run on Actions compute, as an instrumented workflow: https://medium.com/develeap/verifiable-github-actions-and-workflow-security-using-ebpf-an-insight-from-kubecon-2023-858567dc9a64
Shopify built a system that combines both: we set up tracee on an Actions worker, then invoke Actions-on-Actions using nektos/act pointed at a honeypot repository.
The biggest gap would be the lack of package-feeds support - since GitHub acts as the registry, detecting new versions of known Actions is trivial but detecting new Actions is ~impossible(?).
Related
- Actions in the PURL spec Add GitHub Actions type package-url/purl-spec#243
- Slack discussion - https://openssf.slack.com/archives/C04KSQC9E5P/p1715081187200429