Exploit for Embedded Malicious Code in Tj-Actions Changed-Files CVE-2025-30066

## https://sploitus.com/exploit?id=FD42DB51-CAE0-52C1-B26C-16A8DB8196F7
# Checkmarx-CVE-2025-30066-Detection-Tool

These are tools for scanning your GitHub workflows and logs for potential malicious actions associated with CVE-2025-30066. It checks for a set of known risky GitHub Actions and a suspicious code snippet embedded in workflow files. As well for secrets that ended up being exposed to logs due to CVE-2025-30066.


# CxGithubActionsScan

## What It Scans

The script looks for the following in your workflow files:

    GitHub Actions:
        reviewdog/action-setup
        reviewdog/action-shellcheck
        reviewdog/action-composite-template
        reviewdog/action-staticcheck
        reviewdog/action-ast-grep
        reviewdog/action-typos
        tj-actions/changed-files
        tj-actions/eslint-changed-files

    Malicious Code Snippet:

    A base64-encoded snippet:

    IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwoKIyBiYXNlZCBvbiBodHRwczovL2RhdmlkZWJvdmUuY29tL2Jsb2cvP3A9MTY

## Scan Options

You can run the scan in one of three modes:

    Organization Scan: Use the --org flag to scan all repositories within an organization.
    Repository Scan: Use the --repo flag to scan a specific repository (format: owner/repo or a full GitHub URL).
    User Scan: Use the --user flag to scan all repositories for a specific user.

## GitHub Personal Access Token (PAT)

To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:

    Organization Scans: The PAT must include the repo and read:org scopes.
    User/Repository Scans: The PAT should have repo (for private repos) or public_repo (for public repos).

### How to Get Your GitHub PAT

1. Sign in to GitHub and click on your profile picture.
2. Navigate to Settings → Developer settings → Personal access tokens.
3. Click Generate new token, provide a descriptive name, and select the required scopes.
4. Generate and copy the token.

## Sample Command

To scan all repositories in an organization called myorg with the default keywords, run:

```python
python CxGithubActionsScan.py --org myorg --token YOUR_GITHUB_PAT
```
 
# CxGithub2msScan

**CxGithub2msScan** is a Python tool that downloads GitHub Actions workflow run logs for a specified repository and scans them using the Checkmarx 2ms tool to detect secrets or leaked keys.

## Requirements

- **Python 3.x**
- **2ms.exe** (Checkmarx 2ms CLI) must be available in your PATH or in the same directory as the script.  
  *Download the 2ms binary from: [https://github.com/Checkmarx/2ms](https://github.com/Checkmarx/2ms)*
- A **GitHub personal access token** with access to the repository's Actions logs.

## GitHub Personal Access Token (PAT)

To access repository content, you'll need a GitHub Personal Access Token (PAT) provided via the --token flag:

### How to Get Your GitHub PAT

1. Sign in to GitHub and click on your profile picture.
2. Navigate to Settings → Developer settings → Personal access tokens.
3. Click Generate new token, provide a descriptive name, and select the required scopes.
4. Generate and copy the token.

## Usage

Run the tool from the command line with the required arguments. For example:

```bash
python CxGithub2msScan.py --owner your_org --repo your_repo --days 7 --token YOUR_GITHUB_TOKEN --output logs