allArticles Conferences Presentations

Pwning the CI (GitHub Actions Edition)

Conference: RSA Conference 2023

2023-04-24

Authors: Stephen Giguere

Abstract

Our path to an open source, GitOps heaven has exposed new security challenges as our CI solutions are exposed to the outside world. The soft underbelly of our pipeline is as visible to willing contributors as it is to malicious subversives. In this talk, we'll look at examples of known exploits to GitHub Actions workflows showing how simple bad practices can open our supply chain to attackers.

Materials:

Tags:

Post a comment

Related work

Pwning the CI (with GitHub Action Workflows)

Conference: Cloud Native SecurityCon North America 2022

Authors: Stephen Giguere

2022-10-25

Github Actions Security Landscape

Conference: SupplyChainSecurityCon 2022

Authors: Ronen Slavin, Alex Ilgayev

2022-06-22

GitHub Actions: Vulnerabilities, Attacks, and Counter-measures

Conference: Global AppSec Dublin 2023

Authors: Magno Logan

2023-02-15

The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency tree

Conference: Defcon 31

Authors: Asi Greenholts Security Researcher at Palo Alto Networks

2023-08-01

Secure Your Project with the SIG Release Supply Chain Kit

Conference: KubeCon + CloudNativeCon Europe 2023

Authors: Carlos Panato, Adolfo García Veytia

2023-04-20

Feedback loop in DevSecOps - mature security process and dev cooperation

Conference: OWASP 20th Anniversary Event

Authors: Daniel Krasnokucki

2021-09-24