Guarding the gates of your GitHub workflows
ci-cerberus is a tool designed to locate third-party GitHub Actions in your workflows, and report any known vulnerabilities back to you.
The easiest way to run this tool is with pipx.
You can install it (if you don't already have it) by following the instructions here
scan is currently the only command available in ci-cerberus.
It looks for workflows in your .github/workflows folder, and finds any third-party actions. It then checks the NIST NVD for any known vulnerabilities and reports them back to you
Navigate to the root of the repository you want to scan and run
pipx run ci-cerberus scanIf you want to see more information about what this tool is doing under the hood, you can enable debug mode by supplying the -d or --debug flag before the command
pipx run ci-cerberus -d scanIf you're stuck, you can pull up the help text any time by running
pipx run ci-cerberus -hThis tool was created as a project for one of my modules on the Masters program I'm currently enrolled in at Abertay University.
If you're reading this, then you're probably one of my lecturers 👋🏻