Package Metadata

Author: —
Email: Rishabh Singh <[email protected]>
PyPI: actionscope
Python: >=3.10
Versions: 9 releases
First release: 16 May 2026, 09:23 UTC
Analysed: 06 Jun 2026, 02:11 UTC
Source files: 35 .py files scanned

Project Links

Documentation Homepage Issues Repository

Classifiers

Development Status :: 4 - BetaIntended Audience :: DevelopersIntended Audience :: System AdministratorsLicense :: OSI Approved :: MIT LicenseProgramming Language :: Python :: 3Programming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Topic :: SecurityTopic :: Software Development :: Build Tools

🤖 AI Analysis

Final verdict: SAFE

The package appears to be legitimate with minimal risks. The primary concerns are around incomplete metadata and potential credential mishandling, but these do not strongly indicate malicious intent.

Incomplete author information
Potential for credential mishandling

Per-check LLM notes

Network: The network calls appear to be for GitHub API interactions, which could be legitimate for version control or dependency management.
Shell: Subprocess calls seem to be for running tests and checks, which is common practice for ensuring the quality and functionality of the package.
Obfuscation: No obfuscation patterns detected.
Credentials: The usage of environment variables for credentials is common practice but should be handled with care to prevent accidental exposure.
Metadata: The author information is incomplete and the maintainer seems to be new or inactive, which raises some suspicion but not enough to conclusively determine malice.

🔬 Heuristic Checks

⚠ Outbound Network Calls score 4.5

Found 3 network call pattern(s)

t, str | None]: request = urllib.request.Request( url, headers=_headers(github_token)
, ) try: with urllib.request.urlopen(request, timeout=15) as response: return
token self.session = requests.Session() self.session.headers.update( {

✓ Code Obfuscation

No obfuscation patterns detected

⚠ Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

cks.append(passed) result = subprocess.run(["pytest", "tests/", "-q"], capture_output=True, text=True)
se 'no output'}", ) result = subprocess.run(["ruff", "check", "actionscope/"], capture_output=True) chec
lt.returncode == 0) result = subprocess.run( ["python", "-m", "build", "--no-isolation"], captur
lt.returncode == 0) result = subprocess.run(["actionscope", "--version"], capture_output=True, text=True
ult.stdout.strip()) result = subprocess.run( ["actionscope", "scan", ".", "--output-format", "json"]

⚠ Credential Harvesting score 2.5

Found 1 credential access pattern(s)

quired=False, default=os.environ.get("GITHUB_TOKEN"), help="GitHub PAT (or set GITHUB_TOKEN env var)",

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: gmail.com>

✓ Suspicious Page Links

All external links appear legitimate

✓ Git Repository History

Repository r12habh/ActionScope appears legitimate

⚠ Maintainer History score 4.0

2 maintainer concern(s) found

Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with actionscope

Develop a Python-based tool named 'AWSActionScopeAnalyzer' that leverages the 'actionscope' package to analyze the blast radius of AWS resources within GitHub Actions workflows. This tool will help developers and DevOps engineers understand which AWS resources could potentially be affected by a given GitHub Actions workflow, enhancing security and compliance practices.

The application should perform the following steps:
1. Accept a GitHub Actions workflow file as input.
2. Parse the workflow file to identify all AWS-related actions and commands.
3. Use the 'actionscope' package to map out the potential impact or 'blast radius' of these actions on AWS resources.
4. Generate a report detailing which AWS services, regions, and accounts might be impacted by the workflow.
5. Provide suggestions for minimizing the blast radius, such as using more specific resource identifiers or leveraging IAM policies.

Suggested features include:
- Integration with GitHub API to fetch workflows directly from repositories.
- User-friendly command-line interface (CLI) for easy interaction.
- Support for multiple workflow files at once.
- Output the results in various formats (JSON, YAML, Markdown).
- Optional feature to simulate the execution of the workflow in a test environment before actual deployment.

How to utilize the 'actionscope' package:
- Import the necessary modules from the 'actionscope' package.
- Use its functions to parse the workflow content and determine the scope of AWS operations.
- Leverage the package's capabilities to assess the potential impact on AWS resources, including identifying the affected services, regions, and accounts.
- Integrate the analysis results into your application's reporting mechanism.

This tool aims to enhance the security and operational efficiency of GitHub Actions workflows by providing developers with clear insights into their AWS resource interactions.