Overview
Explore the critical security risks associated with third-party GitHub Actions in this eye-opening conference talk. Delve into an analysis of build logs from top GitHub repositories, uncovering alarming issues related to permissions and build integrity. Learn about the widespread failure to manage build permissions effectively and the potential consequences, including unauthorized access to cloud resources and malware introduction. Examine the concept of "unpinnable actions" and challenge common security practices, such as action pinning. Discover the conditions that render actions unpinnable and gain insights into the surprising percentage of popular actions that fall into this category. Equip yourself with essential knowledge to enhance the security of your CI/CD pipelines and protect your projects from overlooked vulnerabilities in third-party GitHub Actions.
Syllabus
GF - Actions have consequences: The overlooked Security Risks in 3rd party GitHub Actions
Taught by
BSidesLV