Updated script and tests, added README

aegilops · aegilops · commit 5aa9c5e51784 · 2025-03-20T17:16:11.000Z
diff --git a/README.md b/README.md
@@ -13,10 +13,12 @@ Optionally, filter by a particular action, possibly including a commit SHA of in
 
 ## Usage
 
-Set a `GITHUB_TOKEN` in the environment with appropriate access to the audit log on your org or Enterprise.
+For all scripts, you must set a `GITHUB_TOKEN` in the environment with appropriate access to the audit log on your org or Enterprise, or the repository you are interested in.
 
 For Enterprise Server or Data Residency users, please set `GITHUB_BASE_URL` in your environment, e.g. `https://github.acme-inc.com/api/v3`
 
+### audit_workflow_runs.js
+
 ```text
 node audit_workflow_runs.js <org or enterprise name> <ent|org|repo> <start date> <end date> [<action>] [<commit SHA>]
 ```
@@ -29,6 +31,24 @@ For example:
 node audit_workflow_runs.js github org 2025-03-13 2025-03-15 tj-actions/changed-files 0e58ed8671d6b60d0890c21b07f8835ace038e67
 ```
 
+### find_compromised_secrets.js
+
+This script takes the output of `audit_workflow_runs.js` and searches for secrets that were used in a workflow run.
+
+Take the output from the single-line JSON file for any known compromised Actions and run it through this script.
+
+```text
+node find_compromised_secrets.js < <path sljson file>
+```
+
+Results are printed to the console, and written to a file in the current directory, named `compromised_secrets.sljson`.
+
+For example:
+
+```bash
+node find_compromised_secrets.js < workflow_audit_results.sljson
+```
+
 ## Changelog
 
 ### 2025-05-20 15:10Z
diff --git a/find_compromised_secrets.js b/find_compromised_secrets.js
@@ -101,6 +101,11 @@ async function main() {
       continue;
     }
   }
+
+  for (const secret of all_secrets) {
+    // write to a file
+    fs.appendFileSync("compromised_secrets.sljson", JSON.stringify(secret) + "\n");
+  }
 }
 
 await main();
diff --git a/find_compromised_secrets_helper.js b/find_compromised_secrets_helper.js
@@ -1,9 +1,12 @@
 
 // base64 strings were used to leak the secrets
-export const base64Regex =
-  /^(?:[A-Za-z0-9+/]{4}){5,}(?:|[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/;
+export const base64Regex1 =
+  /^(?:[A-Za-z0-9+/]{4}){16,}(?:[A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)\s*$/;
 
-export function findSecretsInLines(lines, base64Regex) {
+export const base64Regex2 =
+  /^(?:[A-Za-z0-9+/]{4}){10,}(?:[A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)\s*$/;
+
+export function findSecretsInLines(lines) {
   const secrets = [];
           
   for (const line of lines) {
@@ -18,7 +21,7 @@ export function findSecretsInLines(lines, base64Regex) {
       continue;
     }
 
-    const match = base64Regex.exec(data);
+    const match = base64Regex1.exec(data);
     if (!match) {
         continue;
     }
@@ -28,8 +31,9 @@ export function findSecretsInLines(lines, base64Regex) {
     try {
         const decodedOnce = Buffer.from(secret, "base64").toString();
 
-        const match2 = base64Regex.exec(decodedOnce);
+        const match2 = base64Regex2.exec(decodedOnce);
         if (!match2) {
+            console.log("Failed to match base64 data after first decode: " + decodedOnce);
             continue;
         }
 
@@ -42,6 +46,7 @@ export function findSecretsInLines(lines, base64Regex) {
                 secrets.push(jsonDecoded);
             }
         } catch (error) {
+            console.log("Failed to decode JSON data after second decode: " + decoded);
             continue;
         }
     } catch (error) {
@@ -50,4 +55,4 @@ export function findSecretsInLines(lines, base64Regex) {
   }
 
   return secrets;
-}
+}
diff --git a/test_find_compromised_secrets.js b/test_find_compromised_secrets.js
@@ -1,20 +1,21 @@
 import assert from "assert";
-import { findSecretsInLines, base64Regex } from "./find_compromised_secrets_helper.js";
+import { findSecretsInLines, base64Regex1 } from "./find_compromised_secrets_helper.js";
 
 function testFindSecretsInLines() {
   console.log("Running test for findSecretsInLines...");
 
   // Simulate reading lines from a file
   const lines = [
     "2025-03-20T12:01:00Z SW1kcGRHaDFZbDkwYjJ0bGJpSTZleUoyWVd4MVpTSTZJbWRvYzE4d01EQXdNREF3TURBd01EQXdNREF3TURBd01EQXdNREF3TURBd01EQXdNREFpTENBaWFYTlRaV055WlhRaU9pQjBjblZsZlFvPQo=",
+    "2025-03-20T12:00:00Z SWpBaU9uc2lkbUZzZFdVaU9pSmhJaXdnSW1selUyVmpjbVYwSWpwMGNuVmxmUW89Cg==",
     "2025-03-20T12:00:00Z Some log message",
     "2025-03-20T12:02:00Z Another log message",
     "",
   ];
 
-  const data = "AAAAAAAAAAAAAAAA";
+  const data = "SWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
 
-  const match = base64Regex.exec(data);
+  const match = base64Regex1.exec(data);
   
   assert(match, "Failed to match base64 data");
 
@@ -25,11 +26,17 @@ function testFindSecretsInLines() {
             isSecret: true,
             value: 'ghs_000000000000000000000000000000000'
         }
+    },
+    {
+        "0": {
+            isSecret: true,
+            value: 'a'
+        }
     }
   ];
 
   // Call the function
-  const secrets = findSecretsInLines(lines, base64Regex);
+  const secrets = findSecretsInLines(lines);
 
   // Assert the results
   assert.deepStrictEqual(

Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,11 @@ async function main() {`
`101`	`101`	`continue;`
`102`	`102`	`}`
`103`	`103`	`}`
	`104`	`+`
	`105`	`+ for (const secret of all_secrets) {`
	`106`	`+ // write to a file`
	`107`	`+ fs.appendFileSync("compromised_secrets.sljson", JSON.stringify(secret) + "\n");`
	`108`	`+ }`
`104`	`109`	`}`
`105`	`110`
`106`	`111`	`await main();`