logo

Github Actions Security Landscape

2022-06-22

Authors:   Ronen Slavin, Alex Ilgayev


Summary

The presentation discusses the security landscape of Github Actions and the potential vulnerabilities that can arise from misconfigurations. The focus is on code injection as the main scenario of the exploit and the consequences that can result from such attacks.
  • Github Actions is a popular CI/CD tool that allows developers to automate development workflows easily
  • Misconfigurations in Github Actions can lead to potential vulnerabilities
  • Code injection is a common exploit that can result from misconfigurations
  • The consequences of such attacks can be disastrous, including exposing secrets and allowing attackers to commit malicious code
  • Possible mitigations to stop such attacks are explored
The presentation provides examples of popular open-source projects that were using Github Actions and had critical vulnerabilities. The vulnerabilities were reported to the maintainers, who fixed them immediately. The consequences of such build compromise are quite disastrous, including exposing secrets and allowing attackers to commit malicious code into the repository. This can cause a critical supply chain incident as an attacker can introduce vectors deployed to end-users or organization environments.

Abstract

Github Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration. As part of our research of the Github actions security landscape, we discovered that in writing a perfectly secure Github actions workflow, several pitfalls could cause severe security consequences. Unless the developers are proficient in the depths of Github best-practices documents, these workflows would have mistakes. Such mistakes are costly - and could cause a potential supply-chain risk to the product. During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into Github actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.

Materials:

Post a comment