Skip to content

Releases: north-echo/fluxgate

v0.7.0 — Public API, Multi-Platform, 53 Rules

04 Apr 19:16
@north-echo north-echo
v0.7.0
201fba2

Choose a tag to compare

View all tags
v0.7.0 — Public API, Multi-Platform, 53 Rules Latest
Latest

Headlines

  • Public API: Scanner now importable as a Go library via pkg/scanner
  • 53 detection rules across 6 CI/CD platforms (was 21 in v0.6.0)
  • Interactive web dashboard with multi-database switcher
  • Longitudinal analysis: diff, merge, and anonymized export commands

Library Usage

import "github.com/north-echo/fluxgate/pkg/scanner"

findings, err := scanner.ScanWorkflowBytes(workflowYAML, "ci.yaml", scanner.ScanOptions{})

New Platform Support

  • Jenkins (JK-001 through JK-009)
  • Tekton (TK-001 through TK-009)
  • CircleCI (CC-001 through CC-009)
  • Expanded GitLab (GL-001 through GL-010) and Azure (AZ-001 through AZ-010)

New GitHub Actions Rules (FG-012 → FG-023)

  • If Always True, All Secrets Exposed, Missing Permissions on Risky Events
  • Curl Pipe Bash, Local Action After Untrusted Checkout, GitHub Script Injection
  • Impostor Commit, Hardcoded Container Credentials, Ref Confusion
  • Cross-Step Output Taint Tracking, Known Vulnerable Actions, Artifact Credential Leak

New Commands

  • fluxgate dashboard — interactive web UI
  • fluxgate diff — longitudinal analysis
  • fluxgate merge — database federation
  • fluxgate export — anonymized dataset
  • fluxgate disclosure — disclosure lifecycle tracking
  • fluxgate sarif-push — GitHub Code Scanning integration
  • fluxgate cache — no-workflow cache management

Detection Improvements

  • Trusted-ref isolation mitigation (42% reduction in false criticals)
  • Permission-gate job detection
  • Compound actor+fork guard detection
  • Echo/logging context downgrade for script injection

Acknowledgements

Detection coverage informed by comparative analysis of Poutine (BoostSecurity) and zizmor (Trail of Bits). Fluxgate extends their patterns with mitigation-aware severity modeling, AI-assisted triage, and multi-platform coverage.

Assets 2
Loading

v0.6.0

23 Mar 02:39
@north-echo north-echo
v0.6.0
357f359

Choose a tag to compare

View all tags
v0.6.0

What's New

New Rules

  • FG-011: Bot Actor Guard TOCTOU — detects dependabot[bot]/renovate[bot] actor guards on pull_request_target and workflow_run workflows with fork checkout + execution. These guards are bypassable via TOCTOU (push new commit between bot trigger and runner checkout).

Rule Enhancements

  • FG-002: Now detects workflow_dispatch inputs (github.event.inputs.*) and workflow_call inputs (inputs.*) as injectable expressions.
  • FG-001: Bot actor guards no longer suppress findings to info — capped at high to reflect TOCTOU bypass risk.
  • FG-001+FG-002 correlation: Co-occurring pwn request and script injection findings on the same file are merged into a single enhanced finding referencing the Ultralytics attack pattern.

Security

  • Added SECURITY-BOUNDARIES.md defining public/private boundary for the project.
  • Hardened .gitignore to exclude research artifacts.

Stats

  • 21 rules across 3 CI/CD platforms (GitHub Actions, GitLab CI, Azure Pipelines)
  • 69 tests
Loading

v0.2.0 — FG-001 Severity Refinement

21 Mar 09:30
@north-echo north-echo
v0.2.0
3252213

Choose a tag to compare

View all tags
v0.2.0 — FG-001 Severity Refinement

What's Changed

FG-001 (Pwn Request) now performs post-checkout execution analysis to distinguish between:

  • Critical [confirmed] — build tools (npm ci, make, cargo build, etc.) execute checked-out fork code
  • Critical [likely] — config-loading tools (eslint, jest, webpack) that execute repo config files
  • High [pattern-only]pull_request_target + fork checkout present, but only read-only operations detected

This reduces false positives at critical severity for workflows that checkout fork code but only perform static operations (diff, checksum, grep).

New confidence field in JSON output

{
  "rule_id": "FG-001",
  "severity": "critical",
  "confidence": "confirmed",
  "message": "Pwn Request: pull_request_target with fork checkout [confirmed] — run block executes 'make' on checked-out code (line 24)"
}

Full Changelog: v0.1.0...v0.2.0

Loading

v0.1.0 — CI/CD Pipeline Security Gate

21 Mar 03:54
@north-echo north-echo
v0.1.0
ac798f0

Choose a tag to compare

View all tags
v0.1.0 — CI/CD Pipeline Security Gate

Fluxgate v0.1.0

Static analysis tool for GitHub Actions workflows detecting dangerous CI/CD security patterns.

Detection Rules

Rule Severity Description
FG-001 Critical Pwn Request: pull_request_target with fork checkout
FG-002 High Script Injection via expression interpolation
FG-003 Medium Tag-based action pinning (mutable references)
FG-004 Medium Overly broad workflow permissions
FG-005 Low Secrets exposed in workflow logs

Modes

  • fluxgate scan . — scan local workflows
  • fluxgate remote owner/repo — scan via GitHub API
  • fluxgate batch --top N --db findings.db — batch research scan

Install

go install github.com/north-echo/fluxgate/cmd/fluxgate@v0.1.0
Loading