Support scanning GitHub Actions
complete
A
Allan Reyes
Do y’all have anything on the roadmap (or does it already exist!?) for scanning GH actions? Lots of these are JS packages anyway, but just not published to npm. And I’m not too keen on reading through dist/ folders manually. Would love support for this!
Feross Aboukhadijeh (Socket)
marked this post as
complete
Socket now supports scanning GitHub Actions for malware and unsafe behavior. This experimental release brings Socket’s deep package inspection and taint-tracking capabilities to the CI/CD layer, giving teams visibility into risks hidden inside GitHub workflows for the first time.
See: https://socket.dev/blog/introducing-github-actions-scanning-support
Feross Aboukhadijeh (Socket)
marked this post as
in progress
GitHub Actions scanning is in progress! You can follow the progress on our Ecosystem support page: https://docs.socket.dev/docs/language-support
Feross Aboukhadijeh (Socket)
Merged in a post:
Malware detection within GitHub Actions
Amjed Aboukhadijeh
Joévin SOULENQ
Allan Reyes it seems to be a duplicate of https://feedback.socket.dev/feature-requests/p/malware-detection-within-github-actions
Feross Aboukhadijeh (Socket)
Joévin SOULENQ: Merged!
Feross Aboukhadijeh (Socket)
marked this post as
under review
This should be doable, but we need to investigate what would be required to add support.