Github Actions Security Landscape
Conference: SupplyChainSecurityCon 2022
2022-06-22
Authors: Ronen Slavin, Alex Ilgayev
Summary
The presentation discusses the security landscape of Github Actions and the potential vulnerabilities that can arise from misconfigurations. The focus is on code injection as the main scenario of the exploit and the consequences that can result from such attacks.
- Github Actions is a popular CI/CD tool that allows developers to automate development workflows easily
- Misconfigurations in Github Actions can lead to potential vulnerabilities
- Code injection is a common exploit that can result from misconfigurations
- The consequences of such attacks can be disastrous, including exposing secrets and allowing attackers to commit malicious code
- Possible mitigations to stop such attacks are explored
Abstract
Github Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration. As part of our research of the Github actions security landscape, we discovered that in writing a perfectly secure Github actions workflow, several pitfalls could cause severe security consequences. Unless the developers are proficient in the depths of Github best-practices documents, these workflows would have mistakes. Such mistakes are costly - and could cause a potential supply-chain risk to the product. During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into Github actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.
Materials: