Skip to content

Checkmarx/Checkmarx-CVE-2025-30066-Detection-Tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
CxGithub2msScan.py
CxGithub2msScan.py
 
 
CxGithubActionsScan.py
CxGithubActionsScan.py
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Checkmarx-CVE-2025-30066-Detection-Tool

These are tools for scanning your GitHub workflows and logs for potential malicious actions associated with CVE-2025-30066. It checks for a set of known risky GitHub Actions and a suspicious code snippet embedded in workflow files. As well for secrets that ended up being exposed to logs due to CVE-2025-30066.

CxGithubActionsScan

What It Scans

The script looks for the following in your workflow files:

GitHub Actions:
    reviewdog/action-setup
    reviewdog/action-shellcheck
    reviewdog/action-composite-template
    reviewdog/action-staticcheck
    reviewdog/action-ast-grep
    reviewdog/action-typos
    tj-actions/changed-files
    tj-actions/eslint-changed-files

Malicious Code Snippet:

A base64-encoded snippet:

IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwoKIyBiYXNlZCBvbiBodHRwczovL2RhdmlkZWJvdmUuY29tL2Jsb2cvP3A9MTY

Scan Options

You can run the scan in one of three modes:

Organization Scan: Use the --org flag to scan all repositories within an organization.
Repository Scan: Use the --repo flag to scan a specific repository (format: owner/repo or a full GitHub URL).
User Scan: Use the --user flag to scan all repositories for a specific user.

GitHub Personal Access Token (PAT)

To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:

Organization Scans: The PAT must include the repo and read:org scopes.
User/Repository Scans: The PAT should have repo (for private repos) or public_repo (for public repos).

How to Get Your GitHub PAT

  1. Sign in to GitHub and click on your profile picture.
  2. Navigate to Settings → Developer settings → Personal access tokens.
  3. Click Generate new token, provide a descriptive name, and select the required scopes.
  4. Generate and copy the token.

Sample Command

To scan all repositories in an organization called myorg with the default keywords, run:

python CxGithubActionsScan.py --org myorg --token YOUR_GITHUB_PAT

CxGithub2msScan

CxGithub2msScan is a Python tool that downloads GitHub Actions workflow run logs for a specified repository and scans them using the Checkmarx 2ms tool to detect secrets or leaked keys.

Requirements

  • Python 3.x
  • 2ms.exe (Checkmarx 2ms CLI) must be available in your PATH or in the same directory as the script.
    Download the 2ms binary from: https://github.com/Checkmarx/2ms
  • A GitHub personal access token with access to the repository's Actions logs.

GitHub Personal Access Token (PAT)

To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:

How to Get Your GitHub PAT

  1. Sign in to GitHub and click on your profile picture.
  2. Navigate to Settings → Developer settings → Personal access tokens.
  3. Click Generate new token, provide a descriptive name, and select the required scopes.
  4. Generate and copy the token.

Usage

Run the tool from the command line with the required arguments. For example:

python CxGithub2msScan.py --owner your_org --repo your_repo --days 7 --token YOUR_GITHUB_TOKEN --output logs

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages