claws is an open-source static analysis tool purpose-built to audit and secure your GitHub Actions workflows. Developed by the engineering team at Betterment, claws helps DevSecOps teams enforce best practices, identify risky patterns, and eliminate insecure configurations in workflow YAML before they hit your production CI/CD pipelines.
Why You Should Care
GitHub Actions has exploded in popularity for automating build, test, and deployment processes. However, with this convenience comes new attack surfaces:
- Workflow injection via PRs
- Token misuse through overly-permissive secrets or write scopes
- Untrusted runners or compromised third-party actions
A single misconfigured workflow can lead to credential leaks, privilege escalation, or remote code execution. claws mitigates these risks by performing pre-flight checks on workflows, catching issues before they go live.
Key Features
- Rule-based Linting: Detect common security misconfigurations like
pull_request_target, unpinned actions, or write-scoped PATs. - Custom Rules Support: Extend or disable built-in checks to match your organisation’s policy needs.
- CI/CD Integration: Easily runs as part of your PR checks to prevent dangerous code from being merged.
- Clear Output: Returns actionable results that can be surfaced in review comments or audit dashboards.
Example Use Case
You have a developer opening a pull request that includes changes to your CI pipeline. It sets up a GitHub Actions workflow using an unpinned actions/checkout version. claws flags this as a risk—unversioned actions can be updated silently and exploited upstream.
In addition, it warns that the workflow uses pull_request_target, a known vector for supply chain attacks if not handled carefully.
How to Install and Use
|
1 2 3 4 5 6 7 8 |
# Install claws $ gem install claws-scan # Optionally, specify a version $ gem install claws-scan -v 0.7.5 # Scan a Github Action file analyze -c example_config.yml -t .github/workflows/ci.yml |
Real-World Context: GitHub Actions Attacks
GitHub Actions have become a prime target for attackers. In 2022, Checkmarx researchers discovered multiple projects that exposed write-access tokens to pull requests from forks. In another case, JFrog Security disclosed a critical misconfiguration that allowed remote code execution (RCE) on a popular open-source repository due to unsafe workflow composition.
claws helps mitigate these kinds of issues by shifting security left, catching them at code review time.
Verdict
If you’re running GitHub Actions in a serious DevOps environment, integrating claws should be a no-brainer. It’s lightweight, extensible, and significantly improves the security posture of your CI/CD pipelines.
You can download claws or read more here: https://github.com/betterment/claws