feat: add security analysis support for internal compsite GitHub Actions by behnazh-w · Pull Request #1418 · oracle/macaron

behnazh-w · 2026-06-15T23:12:18Z

Summary

Adds support for security analysis of internal composite GitHub Actions.

Added composite action parsing for local action.yml / action.yaml files.
Expanded reachable uses: ./... composite actions into the GitHub Actions callgraph.
Added standalone roots for unreachable local actions at:
- action.yml
- action.yaml
- .github/actions/**/action.yml
- .github/actions/**/action.yaml
Nested uses: inside composite actions now appear as normal GitHubActionsActionStepNodes, so existing third-party pinning and OSV collection logic can see them.
Fixed local uses: ./... parsing so refs without @ no longer become an empty action name.
Added a recursion guard for local composite action cycles.
Added regression tests for reachable and unreachable composite actions.

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>

oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jun 15, 2026

behnazh-w changed the title ~~Behnazh/analyze action yaml~~ feat: add security analysis support for internal compsite GitHub Actions Jun 15, 2026

behnazh-w force-pushed the behnazh/analyze-action-yaml branch 2 times, most recently from 4f1fcd1 to 82bd53d Compare June 15, 2026 23:31

feat: add security analysis support for internal compsite GitHub Actions

357ccf7

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>

behnazh-w force-pushed the behnazh/analyze-action-yaml branch from 82bd53d to 357ccf7 Compare June 17, 2026 04:01