code injection

[deepgray]

as a pentester on government systems, i frequently look for open githubs where i may be able to inject hostile code to be included in a deployment during continuous development / continuous integration…

and i’m a good guy…

what is to keep or prevent a hostile actor from injecting hostile code to be used on projects through open source processes?

[arichiv-usds]

That's a great question! I have a few initial thoughts:

• Sensitive data sources must not be accessible through publicly exposed CI
• Sensitive repositories should not use publicly exposed CD
• Repositories with publicly exposed CI/CD need to be especially careful accepting pull requests
• Where prudent, multiple layers of checks should occur after GitHub pull request review

[jordangov]

Thanks for the ping @deepgray! Ari's comments are more or less what I would say as well. We (all of gov really, not just DoD) need to be keen to identify potential security risks in our pipeline and call those out so that PR reviews don't introduce vulnerabilities.

Were there any specific flaws you've identified that we should address? If you need to disclose these non-publicly you can use our email address: code at dds.mil

[arichiv-usds]

Please re-open if we can provide additional clarification!