GitHub Actions & Code Injection: Avoiding Vulnerable Configurations

IF YOU'D LIKE TO JOIN LIVE AND/OR GET A COPY OF THE RECORDING, MAKE SURE TO SIGN UP HERE AND NOT JUST ON MEETUP: https://go.cycode.com/githubactions?utm_source=slstore

GitHub Actions & Code Injection: Avoiding Vulnerable Configurations

Wednesday, March 30, 2022 I 1 PM EST I 10 AM PST

GitHub Actions is an increasingly popular DevOps tool mainly due to its rich marketplace and ease of use.

As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers deeply understand GitHub best-practices documents, these workflows are likely to have mistakes. Such mistakes are costly - and could create a supply-chain risk to the application.

During the webinar, we'll discuss how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.