Explore critical security vulnerabilities in GitHub Actions through this DEF CON conference talk that reveals how self-hosted runners can be exploited for supply chain attacks. Learn about the researchers' discovery of widespread GitHub Actions misconfigurations that enabled potential backdoors in major open-source projects, including a detailed case study of their attack on PyTorch. Understand the techniques, tactics, and procedures for escalating privileges within GitHub Actions workflows, starting from compromised self-hosted runners. Discover how insecure defaults in GitHub's security model create systemic vulnerabilities that expose projects to critical attacks from the public internet. Gain insights from the researchers' extensive campaign that resulted in numerous security reports and substantial bug bounties, while understanding the broader implications for CI/CD security in open-source projects, startups, and enterprises.
Grand Theft Actions - Abusing Self-Hosted GitHub Runners for Supply Chain Attacks
Overview
Syllabus
DEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski
Taught by
DEFCONConference
Related Courses
-
GitHub Actions Certification - Full Course to Pass the Exam
-
DevOps with GitHub and Azure: Implementing CI/CD with GitHub Actions
-
AZ-400: Implement CI with Azure Pipelines and GitHub Actions
-
Deploying GitHub Self-Hosted Runners on Kubernetes with ARC
-
Securing the Pipeline - Protecting Self-Hosted GitHub Runners
-
Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller
