Class

What ci-sentinel does

💉 Expression injection (inter-step / inter-job taint)

Taints untrusted ${{ github.event.* }} (issue/PR title, body, comment, review, branch name, commit message, label name, fork repo identity, edited-from values) to a run: shell or actions/github-script sink — and follows it across steps.<id>.outputs.*, needs.<job>.outputs.*, env: vars, matrix values and reusable-workflow inputs.*. An attacker who hides the untrusted value behind an intermediate output is still caught; a per-file grep is not.

🎭 Pwn requests

pull_request_target / workflow_run that check out untrusted fork code in the privileged, secret-bearing context = arbitrary code execution with your secrets.

🔑 Token permissions

Excessive GITHUB_TOKEN scopes (write-all, contents:write, id-token:write), missing permissions: blocks, and secrets exposed to untrusted triggers.

🔁 Reusable workflows

workflow_call callers passing untrusted data across the boundary as inputs.*, and secrets: inherit handing the full secret set to a reusable workflow on an untrusted trigger.

📌 Action pinning

Third-party actions (and reusable-workflow uses:) on mutable tags/branches instead of a commit SHA (the tj-actions/changed-files-style hijack), resolved through the transitive action graph.

🖥️ Self-hosted RCE

Self-hosted runners reachable from public-repo PRs (RCE on your own infra), and OIDC id-token trust misuse.

Class

What ci-sentinel does

💉 CI-variable injection

Taints untrusted GitLab variables (CI_COMMIT_REF_NAME/BRANCH/TAG, CI_MERGE_REQUEST_TITLE/DESCRIPTION/SOURCE_BRANCH_NAME, commit message/author, triggering-user fields) interpolated into script: — following the taint through variables: and extends: templates. Knows the SAFE vars (CI_COMMIT_SHA, CI_MERGE_REQUEST_IID, CI_PROJECT_ID, …) so it doesn't flag every $CI_.

🎭 Fork merge-request pwn

Jobs reachable from fork MR pipelines (merge_request_event, only: merge_requests) that carry secrets / a broad CI_JOB_TOKEN / id_tokens (OIDC), or that run privileged work (deploy/publish/kubectl/terraform) with no when: manual gate.

📦 include: supply-chain

include: from a remote URL or another project/component on a moving (non-SHA) ref — foreign pipeline code merged into yours.

☣️ Artifact / cache poisoning

An untrusted job writes an artifact/cache that a privileged downstream job consumes and executes (needs:/dependencies: or a shared cache path) — a cross-job and cross-pipeline escalation.

Ecosystem

What ci-sentinel catches

🔧 Jenkins (Jenkinsfile)

Command injection from params.* / env.CHANGE_* / ghprb* / SCM data into sh/bat/powershell (through environment{} bindings); credential-leak (credentials()/withCredentials printed or baked into a GString); Groovy evaluate()/load RCE; missing input() approval gate; unsafe agent any.

⭕ CircleCI (.circleci/config.yml)

Shell injection from << pipeline.git.branch/tag >> / pipeline parameters into run:; unpinned orbs (@volatile / bare major); fork-PR context secret exposure with no type: approval gate; privileged deploy with no approval.

🟦 Azure Pipelines (azure-pipelines.yml)

Macro injection from $(Build.SourceBranch) / $(System.PullRequest.SourceBranch) / commit message into script:/bash:/pwsh:; untrusted templates from a foreign repo resource; fork variable-group secret exposure; unpinned repository resources.

🪣 Bitbucket Pipelines (bitbucket-pipelines.yml)

Shell injection from $BITBUCKET_BRANCH / $BITBUCKET_TAG / $BITBUCKET_PR_DESTINATION_BRANCH / commit message expanded unquoted into script:; secured/deployment-variable exposure on externally-triggerable PR pipelines; unpinned pipes (:latest); deployments with no trigger: manual gate.

🚦 Travis CI (.travis.yml)

Shell injection from $TRAVIS_BRANCH / $TRAVIS_PULL_REQUEST_BRANCH / $TRAVIS_COMMIT_MESSAGE expanded unquoted into a lifecycle hook; secure-env PR/fork secret exposure; deploy: stages with no on: branch/condition gate.

Detector

What ci-sentinel catches

☁️ OIDC cloud-trust misconfiguration (Terraform / CloudFormation / GCP workload-identity / Azure federated-credential)

Models the cloud half of CI OIDC: the trust policy of the IAM role / WIF pool / federated app. Flags a sub condition with a broad wildcard (repo:org/*, repo:*), no sub condition at all (any workflow on the issuer assumes the role), a repo pinned but ref/environment unpinned (any branch assumes), the bare pull_request subject (fork-reachable), or an unpinned aud. Then correlates the IaC trust with the CI side (a workflow that mints id-token reachable from an untrusted trigger) and escalates to critical when the chain is reachable end-to-end. No single-file linter catches this — it spans the CI claim and the cloud trust policy.

🔧 Jenkins shared libraries (@Library → vars/*.groovy)

Taints an untrusted pipeline value (PR title / branch / build parameter) passed to a shared-library global-var step through the library's call() interior to an internal sh/bat sink — the Jenkins parity of orb/template/composite-action cross-file taint, invisible when reading only the Jenkinsfile. Also flags @Library imports on a mutable ref (a branch / default version) as supply-chain risk.

Premium

What you get

🔧 Auto-remediation (the exact fix)

For each finding ci-sentinel produces the concrete change: the corrected YAML/Groovy snippet and a unified diff you can apply — pin the action/orb/pipe to an immutable SHA/version, env-bind + quote the injected expression, drop write-all to least privilege, insert the manual/approval gate, pin the OIDC sub/aud, move the hardcoded secret to the store (and rotate it). Not "you have a bug" but "change THIS to THIS", with a confidence label (exact / template / guided) so you know what's drop-in vs. what needs a value filled. Findings carry a stable fingerprint for de-duplication, and the SARIF results carry inline fixes.

📋 Compliance scorecard (A–F)

A CIS-like CI security benchmark scored A–F with a PASS / FAIL / WARN / N/A breakdown per control (least privilege, component pinning, no secrets to forks, no self-hosted on public PRs, OIDC pinned, no hardcoded secrets, no pwn checkout, gated deploys, no injection, no cross-job poisoning). Each control lists the finding ids that drove its verdict — defensible to a security team. A directly-exploitable critical flaw caps the grade (one open RCE/secret-exfil path dominates the posture).

🛰️ Live threat-intelligence feed (the data moat)

Every uses: / orb / pipe in your config is checked against a live, server-side feed of KNOWN-compromised CI components, ingested on a cron from public sources — OSV.dev and the GitHub Security Advisory database (ecosystem=actions) — and merged onto a curated seed of the flagship incidents (tj-actions/changed-files CVE-2025-30066, reviewdog/action-setup CVE-2025-30154 and its transitive dependents, the aquasecurity/trivy-action tag force-push, Ultralytics). It knows that tj-actions/changed-files@v45 is poison and that the same action SHA-pinned to a clean commit or upgraded to @v46 is safe — a distinction a static YAML scan or a local linter cannot make, because it has no feed. The feed lives only on the hosted server (the thin client never carries it); GET /feed/status surfaces its freshness. A live reputation signal (stars / last-commit / archived / does-the-repo-still-resolve) additionally flags archived/abandoned components and dangling references that are takeover-bait. This is the access-moat that justifies the hosted, paid model: the value is the live DATA, not the compute.

🪤 Tag-rewrite & imposter detection (live ref→commit)

Give ci-sentinel the commit SHA you expected a mutable ref to be (from your lockfile/SBOM) and it resolves what the tag currently points at upstream — flagging a tag-rewrite / force-push (@v2 now runs a different commit than you reviewed — the exact tj-actions attack), a deleted/dangling ref, or a suspiciously recent move. It also pairs typosquat detection with the live reputation signal to confirm impersonation — actons/checkout (a near-miss of actions) whose repo is a freshly-stood-up, low-star or dangling imposter — vs. a legitimately-named small fork (no false positive). And because the feed is keyed by component identity, a compromised action is caught no matter which CI system references it (cross-CI) — the piece a mono-CI scanner structurally can't have.