Skip to content

Releases: north-echo/fluxgate

v0.6.0

23 Mar 02:39
@north-echo north-echo
v0.6.0
357f359

Choose a tag to compare

View all tags
v0.6.0 Latest
Latest

What's New

New Rules

  • FG-011: Bot Actor Guard TOCTOU — detects dependabot[bot]/renovate[bot] actor guards on pull_request_target and workflow_run workflows with fork checkout + execution. These guards are bypassable via TOCTOU (push new commit between bot trigger and runner checkout).

Rule Enhancements

  • FG-002: Now detects workflow_dispatch inputs (github.event.inputs.*) and workflow_call inputs (inputs.*) as injectable expressions.
  • FG-001: Bot actor guards no longer suppress findings to info — capped at high to reflect TOCTOU bypass risk.
  • FG-001+FG-002 correlation: Co-occurring pwn request and script injection findings on the same file are merged into a single enhanced finding referencing the Ultralytics attack pattern.

Security

  • Added SECURITY-BOUNDARIES.md defining public/private boundary for the project.
  • Hardened .gitignore to exclude research artifacts.

Stats

  • 21 rules across 3 CI/CD platforms (GitHub Actions, GitLab CI, Azure Pipelines)
  • 69 tests
Assets 2
Loading

v0.2.0 — FG-001 Severity Refinement

21 Mar 09:30
@north-echo north-echo
v0.2.0
3252213

Choose a tag to compare

View all tags
v0.2.0 — FG-001 Severity Refinement

What's Changed

FG-001 (Pwn Request) now performs post-checkout execution analysis to distinguish between:

  • Critical [confirmed] — build tools (npm ci, make, cargo build, etc.) execute checked-out fork code
  • Critical [likely] — config-loading tools (eslint, jest, webpack) that execute repo config files
  • High [pattern-only]pull_request_target + fork checkout present, but only read-only operations detected

This reduces false positives at critical severity for workflows that checkout fork code but only perform static operations (diff, checksum, grep).

New confidence field in JSON output

{
  "rule_id": "FG-001",
  "severity": "critical",
  "confidence": "confirmed",
  "message": "Pwn Request: pull_request_target with fork checkout [confirmed] — run block executes 'make' on checked-out code (line 24)"
}

Full Changelog: v0.1.0...v0.2.0

Loading

v0.1.0 — CI/CD Pipeline Security Gate

21 Mar 03:54
@north-echo north-echo
v0.1.0
ac798f0

Choose a tag to compare

View all tags
v0.1.0 — CI/CD Pipeline Security Gate

Fluxgate v0.1.0

Static analysis tool for GitHub Actions workflows detecting dangerous CI/CD security patterns.

Detection Rules

Rule Severity Description
FG-001 Critical Pwn Request: pull_request_target with fork checkout
FG-002 High Script Injection via expression interpolation
FG-003 Medium Tag-based action pinning (mutable references)
FG-004 Medium Overly broad workflow permissions
FG-005 Low Secrets exposed in workflow logs

Modes

  • fluxgate scan . — scan local workflows
  • fluxgate remote owner/repo — scan via GitHub API
  • fluxgate batch --top N --db findings.db — batch research scan

Install

go install github.com/north-echo/fluxgate/cmd/fluxgate@v0.1.0
Loading