Prerequisites • Resources • Learning Objectives
In this workshop we will learn about the risk of script injection in GitHub Actions workflows, and how to mitigate that risk.
In this workshop, you will:
Before joining the workshop, there are a few items that you will need to install or bring with you.
There are many issue ops things you can do with GitHub actions. A common use case is request/approval process:
An example of this is request-repo-create.
In this example, user input from the issue body is parsed and used in the workflow as the name of the new repository to be created.
You should always be careful when using user inputs in your worfklows. User input can come from any of the following sources:
github.event.issue.title
github.event.issue.body
github.event.pull_request.title
github.event.pull_request.body
github.event.comment.body
github.event.review.body
github.event.review_comment.body
github.event.pages.*.page_name
github.event.commits.*.message
github.event.head_commit.message
github.event.head_commit.author.email
github.event.head_commit.author.name
github.event.commits.*.author.email
github.event.commits.*.author.name
github.event.pull_request.head.ref
github.event.pull_request.head.label
github.event.pull_request.head.repo.default_branch
github.head_ref
The Check issue title workflow simply checks if the title (github.event.issue.title) of the workflow begins with octocat
. If so, the workflow succeeds. If not, the workflow fails.
The Check issue title with action workflow uses an action that simply checks if the input of the action begins with octocat
. If so, the action succeeds. If not, the action fails.
This workflow and action above are vulnerable to script injection. Let's find out why they are vulnerable, and how to exploit them. Exercise 1
The Check issue comment workflow simply checks if the issue comment (github.event.comment.body) begins with octocat
. If so, the workflow succeeds. If not, the workflow fails.
This workflow is vulnerable to script injection. Let's find out why it is vulnerable, and how to exploit it.
Exercise 2
In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.
In CodeQL, the Javascript
language extractor includes support for YAML
and the libraries support Actions
framework. GitHub also provides queries for some common CWEs in Actions Workflows.
GitHub Advanced Security uses CodeQL as the tool for Code Scanning. Code Scanning creates security alerts when vulnerabilties are found. These alerts can be viewed in GitHub and can block merges in protected branches. When a developer fixes a vulnerability, GitHub willl automatically close the alert as resolved.
In the next exercise we will learn how CodeQL can detect Script Injection in GitHub Actions Workflows and understand how GitHub Advanced Security can mitigate Script Injection vulnerabilities in Workflows.
Now let's learn how to mitigate the script injection vulnerability in the run command.
Exercise 4
Now let's learn how to mitigate the script injection vulnerability in the github-script action.
Exercise 5
We know CodeQL is a perfect tool for detecting vulnerablities because:
In the next exercise we will explore how to expand the coverage by using third party queries to detect unpinned
actions in Workflows.
In the next exercise we will explore how to expand the coverage by using custom queries to detect improper use of AWS credentials
in Workflows.
You can learn about script injections at Understanding the risk of script injections
You can learn about security hardening for GitHub Actions at Security hardening for GitHub Actions
You can find examples of CodeQL queries at CodeQL queries
You can find CodeQL tutorials in our CodeQL documentation. The tutorials introduce concepts that you can use this codespace to practice.
We also have CodeQL language guides to help you experiment and learn how to write effective and efficient queries for CodeQL databases generated from the languages supported in CodeQL analysis.
You can prepare for certification in GitHub Advanced Security and Code Scanning by visiting the Microsoft Learning Page for Advanced Security.
You can learn about Codespaces at Codespaces