漏洞平台

POC详情： d4c2dc06b48824c07c13b2fe627c3d872ea8a842

来源

https://github.com/Checkmarx/Checkmarx-CVE-2025-30066-Detection-Tool

关联漏洞

标题： changed-files 安全漏洞 (CVE-2025-30066)
描述：changed-files是tj-actions开源的用于跟踪与目标分支相关的所有已更改文件和目录、之前的提交或最后一次远程提交从项目根返回的相对路径。 changed-files v46之前版本存在安全漏洞，该漏洞源于远程攻击者可以通过读取操作日志发现秘密。

介绍

# Checkmarx-CVE-2025-30066-Detection-Tool

These are tools for scanning your GitHub workflows and logs for potential malicious actions associated with CVE-2025-30066. It checks for a set of known risky GitHub Actions and a suspicious code snippet embedded in workflow files. As well for secrets that ended up being exposed to logs due to CVE-2025-30066.


# CxGithubActionsScan

## What It Scans

The script looks for the following in your workflow files:

    GitHub Actions:
        reviewdog/action-setup
        reviewdog/action-shellcheck
        reviewdog/action-composite-template
        reviewdog/action-staticcheck
        reviewdog/action-ast-grep
        reviewdog/action-typos
        tj-actions/changed-files
        tj-actions/eslint-changed-files

    Malicious Code Snippet:

    A base64-encoded snippet:

    IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwoKIyBiYXNlZCBvbiBodHRwczovL2RhdmlkZWJvdmUuY29tL2Jsb2cvP3A9MTY

## Scan Options

You can run the scan in one of three modes:

    Organization Scan: Use the --org flag to scan all repositories within an organization.
    Repository Scan: Use the --repo flag to scan a specific repository (format: owner/repo or a full GitHub URL).
    User Scan: Use the --user flag to scan all repositories for a specific user.

## GitHub Personal Access Token (PAT)

To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:

    Organization Scans: The PAT must include the repo and read:org scopes.
    User/Repository Scans: The PAT should have repo (for private repos) or public_repo (for public repos).

### How to Get Your GitHub PAT

1. Sign in to GitHub and click on your profile picture.
2. Navigate to Settings → Developer settings → Personal access tokens.
3. Click Generate new token, provide a descriptive name, and select the required scopes.
4. Generate and copy the token.

## Sample Command

To scan all repositories in an organization called myorg with the default keywords, run:

```python
python CxGithubActionsScan.py --org myorg --token YOUR_GITHUB_PAT
```
 
# CxGithub2msScan

**CxGithub2msScan** is a Python tool that downloads GitHub Actions workflow run logs for a specified repository and scans them using the Checkmarx 2ms tool to detect secrets or leaked keys.

## Requirements

- **Python 3.x**
- **2ms.exe** (Checkmarx 2ms CLI) must be available in your PATH or in the same directory as the script.  
  *Download the 2ms binary from: [https://github.com/Checkmarx/2ms](https://github.com/Checkmarx/2ms)*
- A **GitHub personal access token** with access to the repository's Actions logs.

## GitHub Personal Access Token (PAT)

To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:

### How to Get Your GitHub PAT

1. Sign in to GitHub and click on your profile picture.
2. Navigate to Settings → Developer settings → Personal access tokens.
3. Click Generate new token, provide a descriptive name, and select the required scopes.
4. Generate and copy the token.

## Usage

Run the tool from the command line with the required arguments. For example:

```bash
python CxGithub2msScan.py --owner your_org --repo your_repo --days 7 --token YOUR_GITHUB_TOKEN --output logs

文件快照


 [4.0K]  /data/pocs/d4c2dc06b48824c07c13b2fe627c3d872ea8a842
├── [6.2K]  CxGithub2msScan.py
├── [6.5K]  CxGithubActionsScan.py
├── [6.6K]  LICENSE
└── [3.2K]  README.md

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。