szh
commented
9 months ago This seems like a good idea. Can you explain what you would include in this that wouldn't be better suited for the existing CI/CD Security cheat sheet?
Open mleblebici opened 9 months ago
szh
commented
9 months ago This seems like a good idea. Can you explain what you would include in this that wouldn't be better suited for the existing CI/CD Security cheat sheet?
mleblebici
commented
9 months ago Hello, the one you mentioned is covering all CI CD security risks from a broader perspective. The one I proposed is specific and limited to Github Actions. So, it would include specific examples for Github Actions and specific security practices that are available for Github Actions. For example, it would mention misuse of pull_request_target workflow trigger, which is specific to Github Actions and might not be relevant for other CI/CD components/solutions. Another example, CI/CD cheat sheet mentions Least Privilege, but provides general guidance due to its scope. In the proposed cheat sheet, it would provide more details on how it is achieved in the case of Github Actions like preventing Actions from creating pull requests, restricting workflow permissions. So in short, we may compare these two to Authorisation Cheat Sheet and Transaction Authorisation Cheat Sheet.
szh
commented
9 months ago Thank you. This sounds great to me. @jmanico @kwwall @mackowski what are your thoughts?
jmanico
commented
9 months ago I like it
kwwall
commented
9 months ago Sounds good to me.
-kevin
On Thu, Feb 8, 2024, 4:29 PM Jim Manico @.***> wrote:
I like it
— Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/1306#issuecomment-1934962099, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PGZUULGEWIGACRARIQTYSU7SPAVCNFSM6AAAAABCWO7TIWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZUHE3DEMBZHE . You are receiving this because you were mentioned.Message ID: @.***>
szh
commented
9 months ago Awesome. @mleblebici do you want to work on this?
mleblebici
commented
9 months ago Sure, we would like to work on this together with @jbrinksma.
mackowski
commented
3 days ago @mleblebici are you stil working on this?
What is the proposed Cheat Sheet about?
It will aim to provide guidance on configuring and utilising GitHub Actions securely.
What security issues are commonly encountered related to this area?
Github Actions security is needed to prevent supply chain attacks. GitHub Action injection attacks are also common, which can result in unauthorised code execution, modifying release packages, disclosure of secrets, etc.
What is the objective of the Cheat Sheet?
It will provide a comprehensive guide for developers and security practitioners with best practices and considerations for securing GitHub Actions workflows.
What other resources exist in this area?
There is an official hardening guide from Github. Even though it provides lots of guidance, there might be some additional things like whitelisting actions, using custom deployment protection rules, not using pull_request_target, etc. Also, to enable community support, it will be good to have an open-source guideline so that additional things can be added by the community.