Add scanner

Author: JarLob

.github/workflows/sample.yml

@@ -0,0 +1,26 @@
+# Sample workflow to run the action
+name: Sample workflow
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      owner:
+        description: 'Org or user name'
+        required: true
+        type: string
+      repo:
+        description: 'Repository name'
+        required: true
+        type: string
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: GitHubSecurityLab/pwn-request-scanner@main
+      with:
+        owner: ${{ inputs.owner }}
+        repo: ${{ inputs.repo }}

.gitignore

@@ -0,0 +1 @@
+node_modules

README.md

@@ -1 +1,14 @@
-# PWN-request-scanner
+# pwn request scanner
+
+ Workflows triggered on `pull_request_target` event potentially have access to secrets, privileged GITHUB_TOKEN permissions and access to cache token. Because of that under certain conditions it may lead to [pwn request vulnerabilities](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).  
+
+Most GitHub Actions workflows run from the default repository branch. However workflows triggered on `pull_request_target` event run from the target branch of the pull request. It means that a repository may have multiple versions of the same workflow in different branches and attackers may choose which version to run by creating a pull request to a specific branch. To reduce the number of triggerable `pull_request_target` workflows it is recommended to use [branch filters](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#onpull_requestpull_request_targetbranchesbranches-ignore).
+
+The `pwn request scanner` is a simple tool that doesn't go into depths of analyzing if the workflow with `pull_request_target` trigger is vulnerable or not, but it scans all repository branches for `pull_request_target` workflows that do not follow the best practice of using branch filters.
+
+## Usage
+
+You can run the scanner as:
+
+* GitHub Action in your repository. Just copy the [sample workflow](.github/workflows/sample.yml).  
+* Locally running the [index.js](dist/index.js) script from the dist folder.  

action.yml

@@ -0,0 +1,19 @@
+name: 'pwn request scanner'
+description: 'An action to search for the usage of pull_request_target trigger in non default branches'
+inputs:
+  token:
+    description: 'GitHub token to call REST API'
+    required: false
+    default: ${{ github.token }}
+  owner:
+    description: 'Org or user name'
+    required: true
+    type: string
+  repo:
+    description: 'Repository name'
+    required: true
+    type: string
+
+runs:
+  using: 'node20'
+  main: 'dist/index.js'

dist/index.js

@@ -0,0 +1,3 @@
+/*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
+
+/*! ws. MIT License. Einar Otto Stangvik <[email protected]> */