RAVEN (Risk Analysis and Vulnerability Enumeration for CI/CD) is a powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database. Developed and maintained by the Cycode research team. With Raven, we were able to identify and report security vulnerabilities in some of the most popular repositories hosted on GitHub, including: FreeCodeCamp (the most popular project on GitHub) Storybook (One of the most popular frontend frameworks) Fluent UI by Microsoft and much more We listed all vulnerabilities discovered using Raven in the tool Hall of Fame. What is Raven The tool provides the following capabilities to scan and analyze potential CI/CD vulnerabilities: Downloader: You can download workflows and actions necessary for analysis. Workflows can be downloaded for a specified organization or for all repositories, sorted by star count. Performing this step is a prerequisite for analyzing the workflows. Indexer: Digesting the downloaded data into a graph-based Neo4j database. This process involves establishing relationships between workflows, actions, jobs, steps, etc. Query Library: We created a library of pre-defined queries based on research conducted by the community. Reporter: Raven has a simple way of reporting suspicious findings. As an example, it can be incorporated into the CI process for pull requests and run there. Possible usages for Raven: Scanner for your own organization's security…Read More