Cycode Launches Open Source Security Scanner

Cycode Launches Raven, an Open Source Security Scanner to Bolster CI/CD Pipeline Security

With GitHub Actions as its first use case, Raven Provides AppSec Teams with a reliable and scalable solution for pipeline security analysis

Cycode announced the release of Raven, a CI/CD pipeline security scanner. Raven makes hidden risks visible by connecting the dots across vulnerabilities woven throughout the pipeline that when viewed collectively, reveal a much greater risk than when assessed as one-off CVEs. Released as an open source project, Raven boosts the ability of security teams to implement secure software development practices, enabling them to work more strategically with DevOps teams while maturing their organization's ASPM capabilities.

As companies migrate to the cloud, security leaders are seizing the opportunity to "shift security left." In their urgency to implement this paradigm shift, they often overshoot, placing too much responsibility for the company’s application security posture on already-overburdened developers. And, despite the increasing overlap between security and development teams, they continue to work in silos, compounding miscommunications and process breakdowns. Cycode’s mission is to leverage its ASPM platform to make AppSec – and pipeline security in particular – a team sport, and Raven helps to further its vision.

"Similar to Cimon, Raven is another free tool created by the Cycode team to help organizations strengthen their pipeline security and AppSec posture,” said Oreen Livni, Senior Security Researcher at Cycode. “While Cimon also helps secure your CI/CD pipeline, in addition, Raven tells you the story across vulnerabilities and any blind spots. We're working on continuing to contribute unique value to the broader community and are excited to share Raven with the world.”

Introducing Raven

Initially focused on GitHub, Raven scans GitHub workflows and breaks them down into individual components. These components are then inserted into a Neo4j database as distinct types of nodes, with relationships established between them. This allows for effortless scanning and identification of vulnerabilities in workflows.

Raven utilizes a knowledge base built over the course of more than a year of comprehensive research into GitHub Actions by the Cycode research team. Throughout this period, data was gathered from a wide spread of systems, thousands of projects and multiple configurations – an effort that led Cycode to release Raven as an open-source tool to help enhance CI/CD security and support the community.

Raven consists of the following components:
  • Downloader: To download workflows and actions necessary for analysis. Workflows can be downloaded for a specified organization or for all repositories, sorted by star count. Performing this step is a prerequisite for analyzing the workflows.
  • Indexer: To digest the downloaded data into a graph-based Neo4j database. This process involves establishing relationships between workflows, actions, jobs, steps, etc.
  • Query Library: A library of predefined queries based on research conducted by the community.
  • Report: Raven has a simple way of reporting suspicious findings. As an example, it can be incorporated into the CI process for pull requests and run there.
Using Raven, Cycode researchers were able to identify and report security vulnerabilities in some of the most popular repositories hosted on GitHub, including, FreeCodeCamp - the most popular project on GitHub, Storybook - one of the top frontend frameworks and Fluent UI by Microsoft.

Source: Cycode media announcement

Latest Updates

Subscribe to our YouTube Channel