Add support for detection usage of GitHub Actions debug var (boostsec…

…urityio#88) * Added support for GitHub Actions debug env vars * Update debug_enabled.md Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> --------- Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com>
coveord · May 23, 2024 · 36d3c7f · 36d3c7f
1 parent 8aff818
commit 36d3c7f
Show file tree

Hide file tree

Showing 5 changed files with 119 additions and 6 deletions.
diff --git a/docs/content/en/rules/debug_enabled.md b/docs/content/en/rules/debug_enabled.md
@@ -13,6 +13,42 @@ potentially expose sensitive information.
 
 ## Remediation
 
+### GitHub Actions
+
+In the workflow file, remove the `ACTIONS_RUNNER_DEBUG` or `ACTIONS_STEP_DEBUG` environment variables. This may also be enabled by setting a secret or variable, so the fact that `poutine` does not detect those variables, does not guarantee it is not enabled otherwise.
+
+#### Recommended
+```yaml
+on:
+  push:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - id: 1
+        run: echo Hello
+```
+
+#### Anti-Pattern
+```yaml
+on:
+  push:
+
+env:
+  ACTIONS_RUNNER_DEBUG: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - id: 1
+        env:
+          ACTIONS_STEP_DEBUG: true
+        run: echo Hello
+```
+
+
 ### Gitlab CI
 
 In the workflow file, remove the `CI_DEBUG_TRACE` or `CI_DEBUG_SERVICES` variable in the `job` definition or set to false.
@@ -35,4 +71,4 @@ job_name:
 
 ## See Also
  - https://docs.gitlab.com/ee/ci/variables/index.html#enable-debug-logging
- - https://docs.gitlab.com/ee/ci/variables/index.html#mask-a-cicd-variable
+ - https://docs.gitlab.com/ee/ci/variables/index.html#mask-a-cicd-variable
diff --git a/opa/rego/rules/debug_enabled.rego b/opa/rego/rules/debug_enabled.rego
@@ -15,16 +15,16 @@ import rego.v1
 
 rule := poutine.rule(rego.metadata.chain())
 
+_gitlab_debug_vars := {"CI_DEBUG_TRACE", "CI_DEBUG_SERVICES"}
+
 results contains poutine.finding(rule, pkg_purl, {
 	"path": config_path,
 	"details": concat(" ", sort(vars)),
 }) if {
-	vars := _debug_enabled[[pkg_purl, config_path]]
+	vars := _gitlab_debug_enabled[[pkg_purl, config_path]]
 }
 
-_gitlab_debug_vars := {"CI_DEBUG_TRACE", "CI_DEBUG_SERVICES"}
-
-_debug_enabled[[pkg.purl, config.path]] contains var.name if {
+_gitlab_debug_enabled[[pkg.purl, config.path]] contains var.name if {
 	pkg := input.packages[_]
 	config := pkg.gitlabci_configs[_]
 	var := config.variables[_]
@@ -33,11 +33,54 @@ _debug_enabled[[pkg.purl, config.path]] contains var.name if {
 	lower(var.value) == "true"
 }
 
-_debug_enabled[[pkg.purl, config.path]] contains var.name if {
+_gitlab_debug_enabled[[pkg.purl, config.path]] contains var.name if {
 	pkg := input.packages[_]
 	config := pkg.gitlabci_configs[_]
 	var := config.jobs[_].variables[_]
 
 	var.name in _gitlab_debug_vars
 	lower(var.value) == "true"
 }
+
+_github_actions_debug_env_vars := {"ACTIONS_STEP_DEBUG", "ACTIONS_RUNNER_DEBUG"}
+
+is_debug_enabled(var) = true if {
+    var.name in _github_actions_debug_env_vars
+    lower(var.value) == "true"
+}
+
+results contains poutine.finding(rule, pkg.purl, {
+	"path": workflow.path,
+	"details": var.name,
+}) if {
+	pkg := input.packages[_]
+	workflow := pkg.github_actions_workflows[_]
+    var := workflow.env[_]
+    is_debug_enabled(var)
+}
+
+results contains poutine.finding(rule, pkg.purl, {
+	"path": workflow.path,
+	"job": job.id,
+	"details": var.name,
+}) if {
+	pkg := input.packages[_]
+    workflow := pkg.github_actions_workflows[_]
+    job := workflow.jobs[_]
+    var := job.env[_]
+    is_debug_enabled(var)
+}
+
+results contains poutine.finding(rule, pkg.purl, {
+	"path": workflow.path,
+	"job": job.id,
+	"step": step.id,
+	"details": var.name,
+}) if {
+	pkg := input.packages[_]
+    workflow := pkg.github_actions_workflows[_]
+    job := workflow.jobs[_]
+    step := job.steps[_]
+    var := step.env[_]
+    is_debug_enabled(var)
+}
diff --git a/scanner/inventory_test.go b/scanner/inventory_test.go
@@ -84,6 +84,24 @@ func TestFindings(t *testing.T) {
 	})
 
 	findings := []opa.Finding{
+		{
+			RuleId: "debug_enabled",
+			Purl:   purl,
+			Meta: opa.FindingMeta{
+				Path:    ".github/workflows/debug_enabled_valid.yml",
+				Details: "ACTIONS_RUNNER_DEBUG",
+			},
+		},
+		{
+			RuleId: "debug_enabled",
+			Purl:   purl,
+			Meta: opa.FindingMeta{
+				Job:     "build",
+				Path:    ".github/workflows/debug_enabled_valid.yml",
+				Step:    "1",
+				Details: "ACTIONS_STEP_DEBUG",
+			},
+		},
 		{
 			RuleId: "injection",
 			Purl:   purl,

diff --git a/scanner/scanner_test.go b/scanner/scanner_test.go
@@ -18,6 +18,7 @@ func TestGithubWorkflows(t *testing.T) {
 		paths = append(paths, workflow.Path)
 	}
 	assert.ElementsMatch(t, paths, []string{
+		".github/workflows/debug_enabled_valid.yml",
 		".github/workflows/valid.yml",
 		".github/workflows/reusable.yml",
 		".github/workflows/secrets.yaml",

diff --git a/scanner/testdata/.github/workflows/debug_enabled_valid.yml b/scanner/testdata/.github/workflows/debug_enabled_valid.yml
@@ -0,0 +1,15 @@
+name: debug_enabled_valid.yml
+on:
+  push:
+
+env:
+  ACTIONS_RUNNER_DEBUG: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - id: 1
+        env:
+          ACTIONS_STEP_DEBUG: true
+        run: echo Hello