DeepSec 2022 Talk: GitHub Actions Security Landscape – Ronen Slavin
GitHub Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration.
As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers are proficient in the depths of GitHub best-practices documents, these workflows would have mistakes. Such mistakes are costly – and could cause a potential supply chain risk to the product.
During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.
Please tell us the top 5 facts about your talk.
- The talk explains what is GitHub Actions and how it works.
- We walk through a code injection scenario that is exposed in Github Actions that affected several open source projects.
- We explain how an attacker could exploit this code injection scenario.
- The talk will include demos of the discussed scenarios.
- We will talk about mitigations to protect and against the discussed scenario
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We are a company focused on software supply chain security, and since GitHub Actions is a new technology, we wanted to look at the likely threats to it.
Why do you think this is an important topic?
Github Actions are growing in popularity and are often used by open source projects. We even found and reported to dozens of open source projects on the issue and helped them fix it.
Is there something you want everybody to know – some good advice for our readers maybe?
As we adopt new technologies, we should always know the security implications they bring with them, and understand how they might impact us.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I think software development in the future will look different and we will adopt many new technologies and standards that are now being developed. From signing commits using gitsign, harnessing sigstore tooling, and adopting SLSA as a framework.
Ronen Slavin is Chief Technology Officer and co-founder of Cycode with expert knowledge in cybersecurity. Previously, he was the CTO and co-founder of Filelock that uniquely developed a solution to protect data even after a breach has occurred. Fileock was acquired by Reason Software in 2018 where Ronen moved to Lead the development of their Windows endpoint protection solution and security research. Prior to that Ronen worked on offensive cybersecurity research for a technology firm building commercial tools for government agencies. Ronen served roles as an R&D team leader, developer and architect in the Israeli Intelligence Corps and holds an M.Sc. in Computer Science with a focus on Cyber Security from Bar Ilan University.