CIAnalyseris a tool developed for our paper: Understanding Security Threats in Open Source Software CI/CD Scripts (published on TDSC). It is intended to crawl repositories with OSS CI configured and analyze the security properties.
For the latest release and the dataset, check here.
- Docker
- Golang
- PostgreSQL
Prepare yourself a config.ini configuration according to config.ini.tmpl.
To run a dockerized PostgreSQL, check this.
Start a postgres container:
$ docker run \
--name postgres -d \
--restart unless-stopped \
-e POSTGRES_USER=ZJU-SEC \
-e POSTGRES_PASSWORD=<YOUR DB PASSWORD> \
-e POSTGRES_DB=CIAnalyser \
-p 5432:5432 postgres$ go build CIAnalyser$ ./CIAnalyser <stage-code>
These are common stage code used in various situations:
crawl data:
index-repo crawl repos via GitHub API
clone-repo Git clone the crawled repos
clone-script Git clone the CI scripts
crawl-verified crawl the verified CI scripts
prepare for analysis:
extract-script extract the CI scripts dependency
categorize-script categorize CI scripts to find
parse-using get runtime environment of each CI script
label-usage count the reference type of the script usage
label-lag calculate reference lag of the script usage
extract-credential extract credential usage in repos
generate analysis report:
analyze
@article{pan2022ambush,
title={Ambush from All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines},
author={Pan, Ziyue and Shen, Wenbo and Wang, Xingkai and Yang, Yutian and Chang, Rui and Liu, Yao and Liu, Chengwei and Liu, Yang and Ren, Kui
journal={IEEE Transactions on Dependable and Secure Computing},
year={2023},
publisher={IEEE}
}