Adds new check for inclusion of non GitHub-managed actions

README.md

@@ -50,7 +50,7 @@ jobs:
 
 1. Name: `check_for_3p_actions_without_hash`, Level: `FAIL`
 
-    - This check identifies any third-party GitHub Actions in use that have been referenced via a version number such as `v1.1` instead of commit SHA haah. Using a hash can help mitigate supply chain threats in a scenario where a threat actor has compromised the source repository where the 3P action lives.
+    - This check identifies any third party GitHub Actions in use that have been referenced via a version number such as `v1.1` instead of commit SHA haah. Using a hash can help mitigate supply chain threats in a scenario where a threat actor has compromised the source repository where the 3P action lives.
 
 2. Name: `check_for_allow_unsecure_commands`, Level: `FAIL`
 
@@ -96,6 +96,10 @@ jobs:
 
     - This check is essential for identifying any usage of GitHub's upload/download artifact Action, as it can potentially expose your workflow to compromised files. For instance, an uploaded artifact might contain a compiled binary from a previous workflow, but this binary could be compromised due to the introduction of malicious dependencies during the compilation phase. Consequently, if this tainted binary is executed within another workflow, it could lead to significant security risks. To mitigate such risks, it is crucial for users to conduct integrity checks on artifacts before consumption. This check serves as a valuable reminder to reinforce this security practice.
 
+13. Name: `check_for_non_github_managed_actions`, Level: `WARN`
+
+    - This check looks for inclusion of non GitHub-managed actions and serves as a reminder to review the security posture of any third party actions you include in your workflow(s), especially if they are not developed and maintained by credible entities.
+
 #### Auxiliary Checks
 
 1. Name: `check_for_codeowners_file` - checks for existence of [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file.

__about__.py

@@ -1,3 +1,3 @@
 """ about.py """
 
-__version__ = "1.5.7"
+__version__ = "1.6.7"

analyzer/analyzer.py

@@ -35,6 +35,7 @@ def __init__(
             "_check_for_aws_configure_credentials_non_oidc": {"level": "WARN"},
             "_check_for_create_or_approve_pull_request": {"level": "FAIL"},
             "_check_for_remote_script": {"level": "WARN"},
+            "_check_for_non_github_managed_actions": {"level": "WARN"},
         }
         self.auxiliary_checks = [
             "_check_for_codeowners_file",
@@ -345,6 +346,20 @@ def _check_for_codeowners_file(self) -> bool:
             if self.verbose:
                 print(f"{Colors.LIGHT_BLUE}AUXI{Colors.END} found CODEOWNERS file")
 
+    def _check_for_non_github_managed_actions(self) -> bool:
+        passed = True
+        for job in self.jobs:
+            for step in self.jobs[job]["steps"]:
+                if "uses" in step:
+                    action = step["uses"].strip()
+                    if not search(analyzer.regex.GITHUB_MANAGED_ACTION, action):
+                        if self.verbose:
+                            print(
+                                f"{Colors.LIGHT_GRAY}INFO{Colors.END} using non GitHub-managed action('{action}') - make sure its safe to use!"
+                            )
+                        passed = False
+        return passed
+
     def _run_aux_checks(self) -> None:
         """Runs auxiliary checks which are checks for security-related
         configurations/properties/mechanisms that contribute to more secure

analyzer/regex.py

@@ -15,3 +15,4 @@
 CURL_CREATE_APPROVE_PR = (
     r".*curl.*https:\/\/api\.github\.com\/repos\/[0-9a-zA-Z-._]+\/[0-9a-zA-Z-._]+\/pulls\/[0-9]{1,}\/reviews.*"
 )
+GITHUB_MANAGED_ACTION = r"^actions\/.*"