search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.1k stars 3.8k forks source link

New CS proposal: GitHub Actions #1306

Open mleblebici opened 5 months ago

mleblebici commented 5 months ago

What is the proposed Cheat Sheet about?

It will aim to provide guidance on configuring and utilising GitHub Actions securely.

What security issues are commonly encountered related to this area?

Github Actions security is needed to prevent supply chain attacks. GitHub Action injection attacks are also common, which can result in unauthorised code execution, modifying release packages, disclosure of secrets, etc.

What is the objective of the Cheat Sheet?

It will provide a comprehensive guide for developers and security practitioners with best practices and considerations for securing GitHub Actions workflows.

What other resources exist in this area?

There is an official hardening guide from Github. Even though it provides lots of guidance, there might be some additional things like whitelisting actions, using custom deployment protection rules, not using pull_request_target, etc. Also, to enable community support, it will be good to have an open-source guideline so that additional things can be added by the community.

szh commented 5 months ago

This seems like a good idea. Can you explain what you would include in this that wouldn't be better suited for the existing CI/CD Security cheat sheet?

mleblebici commented 4 months ago

Hello, the one you mentioned is covering all CI CD security risks from a broader perspective. The one I proposed is specific and limited to Github Actions. So, it would include specific examples for Github Actions and specific security practices that are available for Github Actions. For example, it would mention misuse of pull_request_target workflow trigger, which is specific to Github Actions and might not be relevant for other CI/CD components/solutions. Another example, CI/CD cheat sheet mentions Least Privilege, but provides general guidance due to its scope. In the proposed cheat sheet, it would provide more details on how it is achieved in the case of Github Actions like preventing Actions from creating pull requests, restricting workflow permissions. So in short, we may compare these two to Authorisation Cheat Sheet and Transaction Authorisation Cheat Sheet.

szh commented 4 months ago

Thank you. This sounds great to me. @jmanico @kwwall @mackowski what are your thoughts?

jmanico commented 4 months ago

I like it

kwwall commented 4 months ago

Sounds good to me.

-kevin

On Thu, Feb 8, 2024, 4:29 PM Jim Manico @.***> wrote:

I like it

— Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/1306#issuecomment-1934962099, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PGZUULGEWIGACRARIQTYSU7SPAVCNFSM6AAAAABCWO7TIWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZUHE3DEMBZHE . You are receiving this because you were mentioned.Message ID: @.***>

szh commented 4 months ago

Awesome. @mleblebici do you want to work on this?

mleblebici commented 4 months ago

Sure, we would like to work on this together with @jbrinksma.