Vulnerabilities and Misconfigurations in GitHub Actions: Security Risks and Mitigations
fwd:cloudsec via YouTube
Overview
Syllabus
Intro
What is GitHub Actions (GHA) tl;dr
Sample workflow
User Controlled event triggers
User Controlled Input
User Controlled Runtime files
Code Execution Impact
Supply Chain Exploit - Example
Supply Chain Exploit - Securing
AWS OIDC + GitHub Actions
OIDC Setup in AWS
OIDC-GHA Setup
OIDC & GHA Theory
OIDC & GHA Vulnerability - Example
OIDC & GHA Vulnerability - Highlights
Securing your OIDC & GHA
Conclusion - Securing your GHA
Taught by
fwd:cloudsec