Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Vulnerabilities and Misconfigurations in GitHub Actions: Security Risks and Mitigations

fwd:cloudsec via YouTube

Overview

Learn about critical security vulnerabilities in GitHub Actions through a 21-minute conference talk that examines three distinct vulnerability types affecting CI/CD pipelines. Explore practical code execution examples stemming from unsanitized user inputs, discover potential supply chain attacks targeting third-party actions used by organizations and government agencies, and understand the implications of OIDC misconfiguration between GitHub Actions and AWS. Master essential mitigation strategies for detecting and patching these vulnerabilities, while gaining insights into proper triage methods for potential exploits. Follow along with detailed examples covering user-controlled events, runtime files, supply chain security, AWS OIDC integration, and comprehensive security measures to protect GitHub Actions workflows.

Syllabus

Intro
What is GitHub Actions (GHA) tl;dr
Sample workflow
User Controlled event triggers
User Controlled Input
User Controlled Runtime files
Code Execution Impact
Supply Chain Exploit - Example
Supply Chain Exploit - Securing
AWS OIDC + GitHub Actions
OIDC Setup in AWS
OIDC-GHA Setup
OIDC & GHA Theory
OIDC & GHA Vulnerability - Example
OIDC & GHA Vulnerability - Highlights
Securing your OIDC & GHA
Conclusion - Securing your GHA

Taught by

fwd:cloudsec

Reviews

Start your review of Vulnerabilities and Misconfigurations in GitHub Actions: Security Risks and Mitigations

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.