[Open-Source Tool] Detect & Mitigate GitHub Actions Supply Chain Attack (tj-actions/changed-files)

[NaveRazy-Navina]

🚨 GitHub Actions Supply Chain Attack Detection Tool

On March 15, 2025, the popular GitHub Action tj-actions/changed-files was compromised, potentially exfiltrating secrets from thousands of CI/CD pipelines.

To help teams quickly detect and mitigate the impact, we developed an automated scanner that:
✅ Finds all affected repositories in an organization.
✅ Identifies workflows using tj-actions/changed-files.
✅ Extracts CI/CD logs & scans for leaked secrets (double Base64 encoding detection).
✅ Logs findings for remediation.

🔧 Tool Link: GitHub Actions Security Scanner

🛠 How to Use:
change in file your org name

git clone https://github.com/NaveRazy-Navina/github-tj-actions-changed-files-action-scanner.git
export GITHUB_TOKEN="your_pat_token"
./fetch_github_logs.sh

Security Recommendations:
🚨 If secrets were leaked, rotate all credentials immediately (GitHub tokens, AWS keys, DB credentials).
🔐 Use SHA-pinned GitHub Actions to prevent supply chain attacks.
🛑 Restrict external actions using GitHub’s allow-list feature.

💡 Looking for feedback & contributions!
➡️ Have ideas to improve it? PRs are welcome! GitHub Repo

🔁 Please share with your DevSecOps teams to prevent further exploitation!