ARGUS Overview


ARGUS is a groundbreaking static taint analysis system specifically designed to identify code injection vulnerabilities in GitHub Actions. It is the first of its kind, offering a unique approach to securing Continuous Integration/Continuous Deployment (CI/CD) pipelines.

The system operates by tracking the flow of untrusted data across workflows and their associated actions, thereby identifying potential vulnerabilities. ARGUS has been meticulously tested on a large scale, analyzing over 2.7 million workflows and more than 31,000 actions. The results of this evaluation revealed critical code injection vulnerabilities in thousands of workflows and actions, highlighting the pervasive nature of such vulnerabilities in the GitHub Actions ecosystem.

ARGUS not only outperforms existing pattern-based vulnerability scanners but also underscores the necessity of taint analysis for effective vulnerability detection. The development and implementation of ARGUS represent a significant stride towards enhancing the security of GitHub Actions and CI/CD pipelines at large.

Github's Blog

GitHub published a blog post about our findings and also mentioned our tool. We are grateful for the support provided by them throughout our research.

Code

Our tool is opensourced on GitHub. Please check out the repository for more details.

Bibtex

        @inproceedings{muralee2023Argus,
          title={ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions},
          author={S. Muralee, I. Koishybayev, A. Nahapetyan, G. Tystahl, B. Reaves, A. Bianchi, W. Enck, 
            A. Kapravelos, A. Machiry},
          booktitle={32st USENIX Security Symposium (USENIX Security 23)},
          year={2023},
        }
      

Funding


We are greatful to the following sources for funding this project.

purdue       ncsu


ARGUS | PurS3 Lab at Purdue University | PurSec Lab at Purdue University | WSPR Lab at North Carolina State University