- Sysdig exposed how a trusted github function can silently control control to attackers
- Pull_request_target is not only risky, it is a weapon loaded in bad hands
- Even high -level safety projects like Miter can fall to error in Workflow Github Simple
Experts have revealed several critical vulnerabilities in the workflows of GitHub actions which could present serious risks for certain major open source projects.
A recent survey of the SYSDIG Research Research Team (TRT) exposed how configuration errors, in particular involving the Pull_request_target trigger, could allow attackers to take control of active standards or extract sensitive identification information.
The team demonstrated this by compromising well -known organizations of organizations such as Miter and Splunk.
Github Actions is widely adopted in the development of modern software for its automation capacities, but this convenience often hides security risks.
“Modern supply chain attacks frequently begin by abusing insecurity workflows,” said the report, noting how secrets like tokens or integrated passwords in workflows can be exploited if they are poorly secure.
Despite best practices and documents available, many benchmarks continue to use high -risk configurations, either from surveillance, or for lack of conscience.
At the heart of the problem is the Pull_request_target trigger, which performs workflows in the context of the main branch.
This configuration grants high privileges, including access to GitHub_Token secrets and the repository, to the code submitted from forks.
Although intended to facilitate pre-fusion tests, this mechanism also allows the execution of an unreliable code, creating an easily neglected attack surface.
The risks are not hypothetical, they are real.
In the Spotripy repository, which fits into the Spotify web API, Sysdig discovered a configuration where a configuration made by a benie .y could execute code and harvest secrets.
In the Miter Cybersecurity Analysis Box (CAR), the attackers were able to execute arbitrary code by modifying the dependencies.
SYSDIG confirmed that it was possible to take over the Github account associated with the project.
Even the SECURITY_CONTED SPLULK SECURITY_CONT had secrets like Appinspectusename and Appins RespectPassWord exposed, despite the limited scope of github_token.
Developers must reassess the use of Pull_request_target, by considering safer alternatives – Sysdig recommends separating workflows, first using unavigiated verifications, and only authorizes sensitive tasks after validation.
Limit the capacity of tokens and adopt real -time monitoring with tools such as Falco actions can also provide vital protection.
