Overview
Explore critical security vulnerabilities in GitHub Actions through this DEF CON conference talk that reveals how self-hosted runners can be exploited for supply chain attacks. Learn about the researchers' discovery of widespread GitHub Actions misconfigurations that enabled potential backdoors in major open-source projects, including a detailed case study of their attack on PyTorch. Understand the techniques, tactics, and procedures for escalating privileges within GitHub Actions workflows, starting from compromised self-hosted runners. Discover how insecure defaults in GitHub's security model create systemic vulnerabilities that expose projects to critical attacks from the public internet. Gain insights from the researchers' extensive campaign that resulted in numerous security reports and substantial bug bounties, while understanding the broader implications for CI/CD security in open-source projects, startups, and enterprises.
Syllabus
DEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski
Taught by
DEFCONConference