Skip to content

PR: OIDC Connection Detection in GitHub Actions Workflows#91

Open
DS-KoolAid wants to merge 4 commits intomainfrom
update/oidc-detection
Open

PR: OIDC Connection Detection in GitHub Actions Workflows#91
DS-KoolAid wants to merge 4 commits intomainfrom
update/oidc-detection

Conversation

@DS-KoolAid
Copy link
Collaborator

@DS-KoolAid DS-KoolAid commented Feb 28, 2025
edited
Loading

I've added detection for OIDC connections in GitHub Actions workflows. This helps us find when workflows are authenticating to cloud providers using GitHub's OIDC provider.

What's in this PR

The main feature is a new method in the WorkflowParser class that scans workflows for OIDC connections to cloud providers. It detects:

  • AWS role assumptions via aws-actions/configure-aws-credentials@v2 and env vars like AWS_ROLE_ARN
  • GCP service account impersonation through google-github-actions/auth
  • Azure authentication with azure/login and related client/tenant IDs
  • HashiCorp Vault JWT auth via vault-action

Why this matters

Workflows with OIDC can access sensitive cloud resources. For pen testing, these are potential privilege escalation paths.

Example output:
image (40)

@DS-KoolAid DS-KoolAid requested a review from mas0nd February 28, 2025 23:49
@mas0nd mas0nd changed the base branch from main to dev March 3, 2025 23:15
@mas0nd mas0nd changed the base branch from dev to main April 9, 2025 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mas0nd mas0nd Awaiting requested review from mas0nd

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DS-KoolAid