Action-control – open-source GitHub Actions security tool
github.comI put together a little tool for people (it’s me, I’m people) that helps identify GitHub actions in use across the organisation.
It’s currently early days and I’m planning to expand it, but at the moment it: - runs across either a single repository or an entire GitHub Org - provides a list of actions in use per repo as well as a list of most commonly used ones (currently this list isn’t perfect I am working on improving this) - can be run as a GitHub Action that enforces a deny or allow list of actions
Coming up: - integration with GitHub Security Scanning API - GitHub App - static analysis for actions quality and safety - analysis of action pinning and enforcement (similar to ratchet) - a potential blacklist of malicious versions - maybe some cool stuff around immmutable actions.