feat: Audit secrets outside an environment

Author: aldur

src/audit/mod.rs

@@ -26,6 +26,7 @@ pub(crate) mod known_vulnerable_actions;
 pub(crate) mod overprovisioned_secrets;
 pub(crate) mod ref_confusion;
 pub(crate) mod secrets_inherit;
+pub(crate) mod secrets_outside_environment;
 pub(crate) mod self_hosted_runner;
 pub(crate) mod template_injection;
 pub(crate) mod unpinned_uses;

src/audit/secrets_outside_environment.rs

@@ -0,0 +1,79 @@
+use github_actions_models::{
+    common::{expr::LoE, Env, EnvValue},
+    workflow::job::StepBody,
+};
+
+use super::{audit_meta, Audit};
+use crate::{finding::Confidence, models::Job};
+
+pub(crate) struct SecretsOutsideEnvironment;
+
+audit_meta!(
+    SecretsOutsideEnvironment,
+    "secrets-outside-environment",
+    "secrets used without an environment to gate them"
+);
+
+impl Audit for SecretsOutsideEnvironment {
+    fn new(_state: super::AuditState) -> anyhow::Result<Self>
+    where
+        Self: Sized,
+    {
+        Ok(Self)
+    }
+
+    fn audit_raw<'w>(
+        &self,
+        input: &'w super::AuditInput,
+    ) -> anyhow::Result<Vec<crate::finding::Finding<'w>>> {
+        let mut findings = vec![];
+
+        if let super::AuditInput::Workflow(w) = input {
+            for job in w.jobs() {
+                if let Job::NormalJob(j) = job {
+                    if j.environment().is_some() {
+                        continue;
+                    }
+
+                    for step in j.steps() {
+                        let body = &step.body;
+                        let eenv: &Env;
+
+                        match body {
+                            StepBody::Uses { uses: _, with } => {
+                                eenv = with;
+                            }
+                            StepBody::Run {
+                                run: _,
+                                shell: _,
+                                env,
+                                working_directory: _,
+                            } => match env {
+                                LoE::Expr(_) => {
+                                    panic!("We don't handle Expr yet!")
+                                }
+                                LoE::Literal(env) => eenv = env,
+                            },
+                        }
+
+                        for v in eenv.values() {
+                            if let EnvValue::String(s) = v {
+                                if s.contains("secrets") {
+                                    findings.push(
+                                        Self::finding()
+                                            .add_location(step.location().primary())
+                                            .confidence(Confidence::High)
+                                            .severity(crate::finding::Severity::High)
+                                            .build(input)?,
+                                    );
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        Ok(findings)
+    }
+}

src/main.rs

@@ -1,12 +1,12 @@
 use std::{
-    io::{Write, stdout},
+    io::{stdout, Write},
     process::ExitCode,
     str::FromStr,
 };
 
 use annotate_snippets::{Level, Renderer};
 use anstream::{eprintln, stream::IsTerminal};
-use anyhow::{Context, Result, anyhow};
+use anyhow::{anyhow, Context, Result};
 use audit::Audit;
 use camino::{Utf8Path, Utf8PathBuf};
 use clap::{Parser, ValueEnum};
@@ -21,9 +21,9 @@ use models::Action;
 use owo_colors::OwoColorize;
 use registry::{AuditRegistry, FindingRegistry, InputRegistry};
 use state::AuditState;
-use tracing::{Span, info_span, instrument};
-use tracing_indicatif::{IndicatifLayer, span_ext::IndicatifSpanExt};
-use tracing_subscriber::{EnvFilter, layer::SubscriberExt as _, util::SubscriberInitExt as _};
+use tracing::{info_span, instrument, Span};
+use tracing_indicatif::{span_ext::IndicatifSpanExt, IndicatifLayer};
+use tracing_subscriber::{layer::SubscriberExt as _, util::SubscriberInitExt as _, EnvFilter};
 
 mod audit;
 mod config;
@@ -501,6 +501,7 @@ fn run() -> Result<ExitCode> {
     register_audit!(audit::github_env::GitHubEnv);
     register_audit!(audit::cache_poisoning::CachePoisoning);
     register_audit!(audit::secrets_inherit::SecretsInherit);
+    register_audit!(audit::secrets_outside_environment::SecretsOutsideEnvironment);
     register_audit!(audit::bot_conditions::BotConditions);
     register_audit!(audit::overprovisioned_secrets::OverprovisionedSecrets);
     register_audit!(audit::unredacted_secrets::UnredactedSecrets);

src/models.rs

@@ -5,17 +5,17 @@ use std::collections::HashMap;
 use std::fmt::Debug;
 use std::{iter::Enumerate, ops::Deref};
 
-use anyhow::{Context, Result, bail};
+use anyhow::{bail, Context, Result};
 use camino::Utf8Path;
-use github_actions_models::common::Env;
 use github_actions_models::common::expr::LoE;
+use github_actions_models::common::Env;
 use github_actions_models::workflow::event::{BareEvent, OptionalBody};
-use github_actions_models::workflow::job::{RunsOn, Strategy};
-use github_actions_models::workflow::{self, Trigger, job, job::StepBody};
+use github_actions_models::workflow::job::{DeploymentEnvironment, RunsOn, Strategy};
+use github_actions_models::workflow::{self, job, job::StepBody, Trigger};
 use github_actions_models::{action, common};
 use indexmap::IndexMap;
 use line_index::LineIndex;
-use serde_json::{Value, json};
+use serde_json::{json, Value};
 use terminal_link::Link;
 
 use crate::finding::{Route, SymbolicLocation};
@@ -210,6 +210,10 @@ impl<'w> NormalJob<'w> {
         Steps::new(self)
     }
 
+    pub(crate) fn environment(&self) -> Option<&DeploymentEnvironment> {
+        self.inner.environment.as_ref()
+    }
+
     /// Perform feats of heroism to figure of what this job's runner's
     /// default shell is.
     ///

tests/integration/test-data/secrets-outside-environment.yml

@@ -0,0 +1,12 @@
+name: Action
+on: push
+jobs:
+  build:
+    name: Job
+    runs-on: ubuntu-latest
+    steps:
+      - name: Docker setup
+        uses: stacks-network/actions/docker@main
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}