Cosseter is a comprehensive security analysis tool designed to automatically extract and analyze permissions in GitHub Actions workflows. It performs static analysis on both JavaScript Actions and Bash steps to identify permissions and reduce vulnerabilities in CI/CD pipelines.
This project is available thanks to the Secure Software Supply Chain Center (S3C2) and the research institution of North Carolina State University (NCSU).
Our complete datasets used in this research are available on Zenodo:
- Full Workflow Dataset:
- Full Action Analysis Results:
- Permission Comparison Data:
- JSON Format (all):
- Subet Visual Comparison:
- JSON Format (all):
Cosseter performs multi-layered security analysis of GitHub Actions workflows through:
- JavaScript Action Analysis: Static analysis of third-party JavaScript actions to extract API calls and permission requirements
- Bash Script Analysis: Analysis of shell commands within workflow steps to identify more permission requirements
- Permission Extraction: Automated extraction and classification of security-critical permissions
- Workflow Enhancement: Generation of enhanced workflows with detailed permission annotations
The tool consists of several interconnected components:
- ActionAnalyzer/: JavaScript action analysis engine with Celery-based distributed processing
- BashAnalyzer/: Bash script and shell command analysis using Semgrep rules
- PermissionEvaluation/: Permission extraction and classification system
- WorkflowFrontend/: Workflow processing and WIR generation
- MongoDB: Stores workflow metadata, analysis results, and extracted permissions
- Redis: Message queue for distributed task processing
- Celery: Distributed task queue for scalable analysis processing
- Docker and Docker Compose
- Python 3.12+
- 20GB - 30GB RAM (200GB+ recommended for large-scale analysis)
- Time (Action analysis can take upwards of 2 hours for each action and unique version)
-
Clone the repository:
git clone https://github.com/s3c2/cosseter.git
-
Install python dependencies
./install.sh
-
Enter the artifact directory:
cd artifact -
Start the infrastructure:
docker compose up --build
-
Run the analysis tool:
python3 runTool.py
The main entry point is runTool.py, which orchestrates the complete analysis pipeline:
python3 runTool.pyThe tool will:
- Present available test workflow sets from
workflowInputs/ - Process workflows through the analysis pipeline
- Store intermediate analysis results for JavaScript actions in MongoDB and Bash steps in JSON files
- Generate enhanced workflows with permission annotations
- motivatingTest/: Demonstrates the core functionality with a representative workflow
- basicTest/: Simple workflow for testing basic functionality
- complexBashTest/: Complex Bash script analysis scenarios
- missingCoverageTest/: Edge cases and coverage testing
- Workflow IR Population: Parses and stores workflow metadata
- JavaScript Action Analysis: Analyzes custom actions using Celery workers
- Permission Extraction: Extracts and classifies permissions from actions
- Bash Analysis: Analyzes shell scripts using Semgrep rules
- Permission Evaluation: Correlates and evaluates all extracted permissions
- Enhanced Workflow Generation: Creates annotated workflows with permission data
Results are stored in multiple formats:
- MongoDB Collections: Structured analysis results and metadata
- Enhanced Workflows: Workflow YAMLs with permission annotations in
updatedWorkflows/
artifact/
βββ runTool.py # Main analysis orchestrator
βββ compose.yaml # Docker orchestration
β
βββ ActionAnalyzer/ # JavaScript action analysis
β βββ celeryApp/ # Distributed processing
β βββ CosseterJavaScript/ # JS analysis engine
β βββ permissionExtraction/ # Permission extraction
β
βββ BashAnalyzer/ # Bash script analysis
β βββ permExtract/ # Permission extraction for Bash
β βββ semRulesFinal.yaml # Semgrep analysis rules
β
βββ PermissionEvaluation/ # Permission correlation & evaluation
βββ WorkflowFrontend/ # WIR generator
βββ outputWorkflows/ # Enhanced workflow generation
β
βββ workflowInputs/ # Test workflow datasets
βββ updatedWorkflows/ # Generated enhanced workflows
βββ sharedDirectory/ # Shared data between components
This tool was developed as part of security research on CI/CD pipelines. If you use Cosseter in your research, please cite our work:
@INPROCEEDINGS{cosseter,
author={Greg Tystahl and Jonah Ghebremichael and Siddharth Muralee and Sourag Cherupattamoolayilβ and Antonio Bianchi and Aravind Machiry and Alexandros Kapravelos and William Enck},
booktitle={2026 IEEE Symposium on Security and Privacy (SP)},
title={COSSETER: GitHub Actions Permission Reduction Using Demand-Driven Static Analysis},
year={2026},
volume={},
number={},
pages={???-???},
doi={???}
}We welcome contributions! Please see our contribution guidelines:
- Fork the repository
- Create a feature branch
- Submit a pull request with detailed descriptions of changes
This project is licensed under GPL v2
- ARGUS: Paper|Repo
- Modified to produce custom WIRs for workflow ingestion
- ODGen-Fast: Paper|Repo
- Implemented our Demand-Driven JavaScript analysis on top of the static analysis base provided
- Improved upon general analysis and added support for handling packed JavaScript
- Semgrep: Repo
- We created custom Semgrep rules and used them to perform the Bash analysis
- MongoDB Connection Errors: Ensure MongoDB is running and accessible on port 27017
- Memory Issues: Increase Docker memory limits in
compose.yaml - Celery Worker Issues: Check Redis connectivity and worker logs
- Open an issue on GitHub for bug reports
- Contact the research team at S3C2 and North Carolina State University for research collaborations
- Check the documentation in individual component directories