# Checkmarx-CVE-2025-30066-Detection-Tool
These are tools for scanning your GitHub workflows and logs for potential malicious actions associated with CVE-2025-30066. It checks for a set of known risky GitHub Actions and a suspicious code snippet embedded in workflow files. As well for secrets that ended up being exposed to logs due to CVE-2025-30066.
# CxGithubActionsScan
## What It Scans
The script looks for the following in your workflow files:
GitHub Actions:
reviewdog/action-setup
reviewdog/action-shellcheck
reviewdog/action-composite-template
reviewdog/action-staticcheck
reviewdog/action-ast-grep
reviewdog/action-typos
tj-actions/changed-files
tj-actions/eslint-changed-files
Malicious Code Snippet:
A base64-encoded snippet:
IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwoKIyBiYXNlZCBvbiBodHRwczovL2RhdmlkZWJvdmUuY29tL2Jsb2cvP3A9MTY
## Scan Options
You can run the scan in one of three modes:
Organization Scan: Use the --org flag to scan all repositories within an organization.
Repository Scan: Use the --repo flag to scan a specific repository (format: owner/repo or a full GitHub URL).
User Scan: Use the --user flag to scan all repositories for a specific user.
## GitHub Personal Access Token (PAT)
To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:
Organization Scans: The PAT must include the repo and read:org scopes.
User/Repository Scans: The PAT should have repo (for private repos) or public_repo (for public repos).
### How to Get Your GitHub PAT
1. Sign in to GitHub and click on your profile picture.
2. Navigate to Settings → Developer settings → Personal access tokens.
3. Click Generate new token, provide a descriptive name, and select the required scopes.
4. Generate and copy the token.
## Sample Command
To scan all repositories in an organization called myorg with the default keywords, run:
```python
python CxGithubActionsScan.py --org myorg --token YOUR_GITHUB_PAT
```
# CxGithub2msScan
**CxGithub2msScan** is a Python tool that downloads GitHub Actions workflow run logs for a specified repository and scans them using the Checkmarx 2ms tool to detect secrets or leaked keys.
## Requirements
- **Python 3.x**
- **2ms.exe** (Checkmarx 2ms CLI) must be available in your PATH or in the same directory as the script.
*Download the 2ms binary from: [https://github.com/Checkmarx/2ms](https://github.com/Checkmarx/2ms)*
- A **GitHub personal access token** with access to the repository's Actions logs.
## GitHub Personal Access Token (PAT)
To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:
### How to Get Your GitHub PAT
1. Sign in to GitHub and click on your profile picture.
2. Navigate to Settings → Developer settings → Personal access tokens.
3. Click Generate new token, provide a descriptive name, and select the required scopes.
4. Generate and copy the token.
## Usage
Run the tool from the command line with the required arguments. For example:
```bash
python CxGithub2msScan.py --owner your_org --repo your_repo --days 7 --token YOUR_GITHUB_TOKEN --output logs
[4.0K] /data/pocs/d4c2dc06b48824c07c13b2fe627c3d872ea8a842
├── [6.2K] CxGithub2msScan.py
├── [6.5K] CxGithubActionsScan.py
├── [6.6K] LICENSE
└── [3.2K] README.md
0 directories, 4 files