ARGUS Overview

---

ARGUS is a groundbreaking static taint analysis system specifically designed to identify code injection vulnerabilities in GitHub Actions. It is the first of its kind, offering a unique approach to securing Continuous Integration/Continuous Deployment (CI/CD) pipelines.

The system operates by tracking the flow of untrusted data across workflows and their associated actions, thereby identifying potential vulnerabilities. ARGUS has been meticulously tested on a large scale, analyzing over 2.7 million workflows and more than 31,000 actions. The results of this evaluation revealed critical code injection vulnerabilities in thousands of workflows and actions, highlighting the pervasive nature of such vulnerabilities in the GitHub Actions ecosystem.

ARGUS not only outperforms existing pattern-based vulnerability scanners but also underscores the necessity of taint analysis for effective vulnerability detection. The development and implementation of ARGUS represent a significant stride towards enhancing the security of GitHub Actions and CI/CD pipelines at large.

Github's Blog

GitHub published a blog post about our findings and also mentioned our tool. We are grateful for the support provided by them throughout our research.

Code

Our tool is opensourced on GitHub. Please check out the repository for more details.

Bibtex

        @inproceedings{muralee2023Argus,
          title={ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions},
          author={S. Muralee, I. Koishybayev, A. Nahapetyan, G. Tystahl, B. Reaves, A. Bianchi, W. Enck, 
            A. Kapravelos, A. Machiry},
          booktitle={32st USENIX Security Symposium (USENIX Security 23)},
          year={2023},
        }
      

Team

---

The ARGUS is built by Purdue Systems and Software Security Lab (PurS3) and PurSec Lab at Purdue University
and Wolfpack Security and Privacy Research (WSPR) lab at North Carolina State University.