Skip to content

NaveRazy-Navina/github-tj-actions-changed-files-action-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
README.md
README.md
Β 
Β 
tj-actions-changed-files-action-scanner.sh
tj-actions-changed-files-action-scanner.sh
Β 
Β 

Repository files navigation

πŸ” GitHub Actions Security Scanner for tj-actions/changed-files

πŸš€ Automated scanner for detecting and mitigating the tj-actions/changed-files GitHub Actions supply chain attack.
This script scans all affected repositories and workflows in an organization, detects potential leaked secrets, and helps teams mitigate risks efficiently.

⚠️ Why This Matters

On March 15, 2025, the widely used GitHub Action tj-actions/changed-files was compromised, leading to exfiltration of CI/CD secrets.
This tool automates the detection and cleanup process, making it easier for DevSecOps teams to respond quickly.

πŸ”— More details on the attack

πŸ”§ How It Works

βœ… Finds all repositories in an organization using tj-actions/changed-files.
βœ… Scans all affected workflows in those repositories.
βœ… Extracts logs of recent workflow runs.
βœ… Detects & decodes potential leaked secrets (Base64 double-encoded strings).
βœ… Logs findings for remediation.

πŸ“¦ Installation & Usage

1 Clone the repository

git clone https://github.com/NaveRazy-Navina/github-tj-actions-changed-files-action-scanner.git
cd github-tj-actions-changed-files-action-scanner

2 Set up authentication

You need a GitHub Personal Access Token (PAT) with repo and workflow permissions. Set up token:

export GITHUB_TOKEN="your_personal_access_token"

3 Run the scanner

  • in the file change org name to your
ORG="<<your org>>"
  • then run the file
chmod +x fetch_github_logs.sh
./fetch_github_logs.sh

πŸ›  The script will:

  • Search for all affected repositories.
  • Extract workflows using the vulnerable action.
  • Download CI/CD logs and scan for leaked secrets.
  • Save findings in GH_LOG.txt.

βΈ»

πŸ” Understanding the Output

  • βœ… No affected workflows found β†’ Your org is safe.
  • ⚠️ Possible leaked Base64 string found β†’ Rotate affected secrets immediately.
  • ❌ Error fetching logs β†’ Check if GitHub API access is restricted.

πŸ“œ Findings are logged in:

GH_LOG.txt

βΈ»

πŸ›‘οΈ Mitigation & Best Practices

🚨 If your CI/CD secrets were exposed, take these steps:

  1. Rotate all leaked credentials (GitHub tokens, AWS keys, DB credentials).
  2. Remove tj-actions/changed-files from workflows.
  3. Pin GitHub Actions to SHA hashes instead of version tags.
  4. Enable GitHub’s allow-list for Actions to restrict external actions.

βΈ»

πŸ’‘ Contributing

πŸ‘¨β€πŸ’» Contributions are welcome!

  • Found a bug? Open an issue.
  • Want to add a feature? Fork and submit a PR.

πŸ›  Security Researchers: Please follow responsible disclosure guidelines.

βΈ»

πŸ“œ License

πŸ“ MIT License - Free to use and improve.

πŸ“’ Spread the word to help secure more CI/CD pipelines! πŸš€

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages