GitHub Actions & Code Injection: Avoiding Vulnerable Configurations

categories icon Webinar

GitHub Actions is an increasingly popular DevOps tool mainly due to its rich marketplace and ease-of-use.

As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers deeply understand GitHub best-practices documents, these workflows are likely to have mistakes. Such mistakes are costly - and could create supply-chain risk to the application.

During the webinar, we discuss how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.

Presented by:

Alex Ilgayev
Alex Ilgayev
Head of Security Research

GET ACCESS

To access the resource please complete the form

By submitting this form I agree to be contacted by Cycode, and receive occasional offers & product updates via phone or email in line with Cycode's Privacy Policy.

RELATED CONTENT

You Might Also Like

header image
March 18, 2022

How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects

Cycode discovered critical vulnerabilities in several popular open-source projects, each of which can cause a supply-chain attack through the CI process.

avatar image
Alex Ilgayev
Head of Security Research
header image
April 19, 2022

GitHub OAuth Compromise Affecting Heroku and Travis-CI Users

On April 15, GitHub Security announced that it experienced a software supply chain attack on many of its private repositories due to abuse of stolen OAuth user tokens...

avatar image
Tony Loehr
Developer Advocate
header image
February 24, 2022

Implementing SLSA Source Requirements to Improve Software Supply Chain Security

SLSA source requirements help mitigate threats originating from source control management. 

avatar image
Tony Loehr
Developer Advocate

Get a Live Tour of The
Complete Approach to ASPM

Book a Demo