Dates
Conferences
Tags
Sort by:
Most recent
Conference: Defcon 31
Authors: Asi Greenholts Security Researcher at Palo Alto Networks
2023-08-01
GitHub is the most popular platform to host Open Source projects therefore, the popularity of their CI/CD platform - GitHub Actions is rising, which makes it an attractive target for attackers.
In this talk I’ll show you how an attacker can take advantage of the Custom GitHub Actions ecosystem by infecting one Action to spread malicious code to other Actions and projects by showing you a demo of POC worm.
We will start by exploring the ways in which Actions are loosely and implicitly dependent on other Actions. This will allow us to create a dependency tree of Actions that starts from a project that we want to attack and hopefully ends in a vulnerable Action that we can take control of.
We will then dive down to how GitHub Actions is working under the hood and I’ll show you how an attacker that is in control of an Action can utilize the mechanism of the GitHub Actions Runner to infect other Actions that are dependent on their Action and eventually infect the targeted project.
Finally, after we’ve gained all of the theoretical knowledge I’ll show you a demo with POC malware that is spreading through Actions and we will talk on how to defend against this kind of attack.
Conference: Cloud Native SecurityCon North America 2022
Authors: Loris Degioanni
2022-10-25
tldr - powered by Generative AI
The presentation discusses the importance of securing code repositories and how to detect and prevent threats using CNCF's Falco.
- Code repositories are a prime target for attacks and are subject to several categories of threats such as pushing secrets, running GitHub actions with miners, and mistakenly publishing a private repository.
- Falco is a runtime security tool that traditionally protects containers and pods in Kubernetes but now has a GitHub plugin to provide real-time runtime security for GitHub repositories.
- Falco listens on containerized Kubernetes-based endpoints and captures signals such as system calls to detect bad stuff and give alerts.
- Falco's rule engine is simple and customizable, allowing users to add their own rules to detect specific threats.
- Falco is free, open-source, and can be helpful in securing code repositories.
- The presenter invites attendees to a Falco party and a session with Falco developers to learn more about the tool.
Conference: Cloud Native SecurityCon North America 2022
Authors: Stephen Giguere
2022-10-25
tldr - powered by Generative AI
The presentation discusses the security challenges faced by open source projects and GitOps workflows, particularly in relation to GitHub Actions workflows. The speaker demonstrates potential abuses and vulnerabilities in GitHub Actions workflows and highlights the importance of implementing best practices to protect against attacks.
- Open source projects and GitOps workflows are vulnerable to security threats
- GitHub Actions workflows can be abused by malicious actors to gain access to sensitive information
- Best practices, such as implementing environmental protection and short-lived tokens, can help protect against attacks
Conference: SupplyChainSecurityCon 2022
Authors: Varun Sharma
2022-06-23
tldr - powered by Generative AI
The importance of setting minimum permissions for the GITHUB token and how the open-source project SecureWorkflows can automatically restrict permissions for the token.
- GitHub Actions is a CI/CD platform with over 2 million workflows used by open-source projects, and each workflow gets a GITHUB token.
- Restricting permissions for the GITHUB token is recommended by GitHub and the Open Source Security Foundation (OSSF) Security Scorecards.
- Setting permissions for the token is difficult and time-consuming, as different GitHub Actions require different permissions.
- SecureWorkflows is an open-source project that can automatically set minimum permissions for the GITHUB token, based on a knowledge base of required permissions for common GitHub Actions.
- SecureWorkflows has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions.
- The importance of setting minimum permissions for the GITHUB token is illustrated by a story of a supply chain attack on the VS Code GitHub repository, where a security researcher was able to push a commit to a release branch using a GitHub Actions workflow and an injected token with content's right permission.
Tags:
Conference: SupplyChainSecurityCon 2022
Authors: Laurent Simon, Asra Ali
2022-06-21
tldr - powered by Generative AI
The presentation discusses the importance of artifact attestation or salsa provenance in ensuring the authenticity of build artifacts and creating strong links between artifacts and their source repositories. It also highlights the various use cases of artifact attestation in the supply chain.
- Artifact attestation creates a strong link between build artifacts and their source repositories, ensuring authenticity and enabling the creation of policies.
- Artifact attestation can be used to enforce policies at different stages of the supply chain, including control plane, build time, and installation time.
- GitHub's dependency API and S-BOM API can benefit from artifact attestation to ensure the authenticity of dependencies and S-BOMs.
- Artifact attestation can be used to prove to third parties that S-BOMs are authentic and created without cheating or hiding vulnerabilities.
- Artifact attestation can be used for any kind of metadata, including static analysis tool results.