GitHub - zizmorcore/zizmor: Static analysis for GitHub Actions

In mid March, a massive supply chain attack compromised ~23,000 GitHub repositories via GitHub Actions. Roughly four months prior, I predicted this attack would happen. But you didn’t have to be clairvoyant to see this coming. I could write a post whining about GitHub’s security malaise and the design of Actions, but instead I’ll try to make this a productive one. GitHub are working on a long-awaited feature called Immutable Actions that should make flash supply chain attacks like this impossible. It’s currently in preview and I’m not sure when it’s slated to be generally available.

You may already be familiar with GitHub’s CI/CD offering, GitHub Actions. Confusingly, “Actions” refers not only to the CI/CD platform, but also reusable steps within workflows that anyone can publish on the Marketplace. Actions are published through ordinary repositories hosted on GitHub. GitHub itself provides many useful official Actions, such as checkout which checks out a repository. It can be used like this: - name: Checkout uses: actions/checkout@v4 actions/checkout refers to the organisation and repository where the Action code is hosted, and v4 refers to the git tag to use. Herein lies, in my opinion, a severe issue with Actions.

Arc browser RCE (@RenwaX23), more Fortinet woes (@SinSinology), PowerHuntShares v2 (@_nullbind), make_token_cert (@freefirex2), BOFs without DFR (@netbiosX), and more!

On April 26, an unauthorized user exploited a vulnerability with a GitHub workflow to gain unauthorized access to tokens, all of which have now been invalidated. At this time, our investigation has found no evidence of code modifications, unauthorized access to production systems, exposure of customer data, or access to personal information.

Build resilient GitHub Actions workflows with insights from real attacks, missteps to avoid, and security tips GitHub’s docs don’t fully cover.