🐕 ci-cerberus
Guarding the gates of your GitHub workflows
What is it?
ci-cerberus is a tool designed to locate third-party GitHub Actions in your workflows, and report any known vulnerabilities back to you.
Running ci-cerberus
The easiest way to run this tool is with pipx.
You can install it (if you don't already have it) by following the instructions here
Scan
scan
is currently the only command available in ci-cerberus.
It looks for workflows in your .github/workflows
folder, and finds any third-party actions. It then checks the NIST NVD for any known vulnerabilities and reports them back to you
Navigate to the root of the repository you want to scan and run
pipx run ci-cerberus scan
Debug Mode
If you want to see more information about what this tool is doing under the hood, you can enable debug mode by supplying the -d
or --debug
flag before the command
pipx run ci-cerberus -d scan
Help
If you're stuck, you can pull up the help text any time by running
pipx run ci-cerberus -h
Notes
This tool was created as a project for one of my modules on the Masters program I'm currently enrolled in at Abertay University.
If you're reading this, then you're probably one of my lecturers 👋🏻