BlackHat Asia 2025 Arsenal Slides: sisakulint - CI-Friendly static linter with SAST, semantic analysis for GitHub Actions

Transcript

1. #BHAS @BlackHatEvents SISAKULINT https://sisakulint.github.io CI- Friendly static linter with SAST,

   semantic analysis for GitHub Actions

2. #BHAS @BlackHatEvents $ aws sts get-caller-identity Sada Atsushi（1st Author of

   sisakulint） • Local: Tokyo, Japan • Job: Junior Security/Corporate Engineer @Financial Sector • Hobby: OSS (Security Tool) dev, Security Research, Community, Homemade PC, Trip • Focus: Cloud Security, Corporate Security • Keywords: AWS, GitHub, MDM(Jamf,Intune), PSIRT LLM Agent, Compiler, Incident Response • Brief Comments: I love POKEMON especially “Pachirisu”

3. #BHAS @BlackHatEvents $ aws sts get-caller-identity Fujioka Kosuke（contributor of sisakulint）

   • Local: Shizuoka, Japan • Job: University Student (B3) • Hobby: OSS dev(brgen: https://github.com/on- keyday/brgen ), Homemade Server Maintainer • Focus: QUIC protocol, Programming language(C++,Rust,TypeScript,Go) • Keywords: QUIC & Other Network Protocol, Binary format, Infrastrucure • Brief Comments: My first trip to Singapore

4. #BHAS @BlackHatEvents SISAKULINT ? • CI-Friendly static linter for GitHub

   Actions , triage error on GitHub Pull Request Comment • SAST & Autofix for CI-environment • 27 linter rules, 6 SAST rules, 4 Autofix function • OWASP CI/CD Top10 • GitHub : https://github.com/ultra-supara/sisakulint • Web Pages : https://sisakulint.github.io

5. #BHAS @BlackHatEvents Before introducing the tool, check the prerequisite knowledge

6. #BHAS @BlackHatEvents lint ? • A tool that uses code

   and configuration as input to detect program problems statically . • Static means that the program is not actually executed. • Basically, it detects program problems that can be detected statically based on simple configuration but that are not detected by the compiler or interpreter processor. • For example, problems where definitions cannot be agreed upon [*1] or problems that are only detected dynamically [*2]. [*1] Framework-specific usage problems [*2] Sta;c type checking in programming languages with dynamic type checking, e.g. mypy.

7. #BHAS @BlackHatEvents lint specializes in the following tasks • Type

   error detection: this can be achieved by implementing static type checking • Coding style violation detection: this can be achieved by sharing lint configuration • Feature misuse detection implemented in the project

8. #BHAS @BlackHatEvents lint : pros and cons Pros • Static

   testings are good at “exhaustive inspections” where dynamic inspections are not. • The most attractive feature of static testing is its speed. Cons • Static testing are not as accurate as dynamic inspections. • False / Positive

9. #BHAS @BlackHatEvents CI/CD ? source code Build Test terraform plan

   terraform apply Deploy Infra as Code

10. #BHAS @BlackHatEvents • When git push or pull_request is made,

    a flow named CI will run. • jobs.<jobid>.runs-on tells it to run on ubuntu. • jobs.<jobid>.steps checks out and sets up the go environment on ubuntu. • run inside jobs.<jobid>.steps.run • run a shell script (in this case, go formatter:gofmt and linter:staticcheck are run). Set up the Go environment and run the build from GitHub Actions Building workflows under .github/workflows/*.yaml dir Example

11. #BHAS @BlackHatEvents 1. Many context switches 2. Syntax is complex

    3. Code & Supply Chain Security must be ensured 4. DevOps by PSIRT 4 features of GitHub Actions

12. #BHAS @BlackHatEvents 1. Many context switches -> lint 2. Syntax

    is complex -> lint 3. Code & Supply Chain Security must be ensured -> SAST 4. DevOps by PSIRT -> Autofix How to solve each problems

13. #BHAS @BlackHatEvents • When git push or pull_request is done,

    a flow named CI will go around • Go to the actions tab of the project and check the flow that went around by pushing with a browser • If it fails, search the console log to find the cause • It is quite trivial to fail resources. • If it fails, you have to go back to the terminal, fix it, and push it again. Feature1: Many Context Switchs Example GitHub Actions Tab

14. #BHAS @BlackHatEvents Feature2: Syntax is Complex • Programmer combine the

    syntax of Job, Steps and Workflow, where the main computational execution part is abstracted • We have created “sisakulint rules” focusing on the complex and computational execution part

15. #BHAS @BlackHatEvents Feature3: Code & Supply Chain Security must be

    ensured

16. #BHAS @BlackHatEvents This area has been found a major problem

    quite recently! CVE-2025-30066 h"ps://www.wiz.io/blog/ github-ac4on-tj-ac4ons-changed-files-supply-chain-a"ack-cve-2025-30066 • CICD-SEC-2: Inadequate Identity and Access Management • CICD-SEC-4: Poisoned Pipeline Execution (PPE) [Mitigation] pinning a commit hash

17. #BHAS @BlackHatEvents GitHub also releases many documents and research blogs.

    h"ps://securitylab.github.com/resources/github-ac4ons-preven4ng-pwn-requests/ h"ps://securitylab.github.com/resources/github-ac4ons-untrusted-input/ h"ps://docs.github.com/en/ac4ons/security-for-github-ac4ons/security-guides/security-hardening-for-github-ac4ons • Preventing pwn requests • Untrusted input

18. #BHAS @BlackHatEvents GitHub also releases many documents and research blogs.

    h"ps://securitylab.github.com/resources/github-ac4ons-building-blocks/ h"ps://securitylab.github.com/resources/github-ac4ons-new-pa"erns-and-mi4ga4ons/ • (token) permission • pull_request_target

19. #BHAS @BlackHatEvents Example Minimize permissions: GitHub Actions/App Token. Actions token

    App token https://github.com/actions/create-github-app-token/issues/3

20. #BHAS @BlackHatEvents sisakulint SAST can detect most of these troublesome

    security issues (⚠scope:yaml)

21. #BHAS @BlackHatEvents •Previous tools were too focused on "detecting” •We

    are not sure when the developers will fix the issues that PSIRT are requesting •It's always difficult to achieve PSIRT ideal security (for everything…) •If tools could fix issues automatically, we could fulfill requirements anytime!!!!! Feature4: DevOps by PSIRT

22. #BHAS @BlackHatEvents That’s why we need SISAKULINT • We would

    like to be able to triage mistakes in complex combination patterns in advance. • We would like to continuously detect and respond to security mistakes from a DevOps perspective. • 27 linter rules, 6 SAST rules, 4 Autofix function • OWASP CI/CD Top10

23. #BHAS @BlackHatEvents Inside Structure

24. #BHAS @BlackHatEvents linting structure input.yaml AST/Token Message (*.json) Rule Output

    (2 patterns) • e n v - v a r • i d • p e r m i s s i o n s • w o r k f l o w - c a l l • t i m e o u t - m i n u t e s • d e p r e c a t e d - c o m m a n d s • c o n d ( i f ) • s y n t a x • c o m m i t - h a s h • s e c u r i t y - h a r d e n i n g • e x p r e s s i o n s Autofix

25. #BHAS @BlackHatEvents Structure: focusing on Output format Message (*.json) Output1

    (SARIF) View on GitHub via reviewdog View with CLI Output2 (original format)

26. #BHAS @BlackHatEvents reviewdog:The key to connecting sisakulint and GitHub Triage

    error with rich UI h"ps://github.com/ultra-supara/sisakulint/pull/138 h"ps://github.com/reviewdog/reviewdog?tab=readme-ov-file#code-suggesAons .github/workflows /reviewdog.yaml

27. #BHAS @BlackHatEvents DEMO

28. #BHAS @BlackHatEvents Tool feature (explanations focused on a few important

    topics) • brew installation • lint • SAST • Autofix

29. #BHAS @BlackHatEvents Tool Feature1: lint $ sisakulint -debug [expression] [syntax]

30. #BHAS @BlackHatEvents Tool Feature2: SAST $ sisakulint -debug [commit-sha] [pull_req_target]

31. #BHAS @BlackHatEvents Tool Feature3: Autofix $ sisakulint –fix on [commit-sha]

    [missing-timeout-minutes] [credential-hardcoding]

32. #BHAS @BlackHatEvents Furure Work • Aim for full compliance with

    OWASP CI/CD Top10 • Enhance functionality to enable autofix for almost all lint and SAST features • Completion of an auto-fixing Bot (github app), introduction as a 3rd party app on GitHub

33. #BHAS @BlackHatEvents Thank you for listening [email protected]

34. #BHAS @BlackHatEvents Philosophy Appendix1

35. #BHAS @BlackHatEvents sisakulint = sisaku + lint • sisaku・・・思索, 施策,

    試作 • Development stops when ideas (施策) run out • It is important to input and think (思索) • It is important to actually prototype my hands at various possibilities (試作)

36. #BHAS @BlackHatEvents Link collection Appendix2 GitHub Documents Arsenal