Security: GitHub Actions Vulnerabilities

[spencerlepine]

Identifying Actions security vulnerabilities regarding repository secrets and development/production workflows.

Trello Ticket #115

---

• Bad actors could inject malicious scripts into GitHub Actions.
• Workflows run on pull requests, so any custom GitHub Action steps could be run.
• Need CODEOWNERS file, requiring a review by me before .github/workflow changes are added to main branch
• GitHub Actions do not to use enviroments for ci and production
• GitHub secrets can be accessed in a GitHub actions.
  • A bad actor could COPY the secrets values to a file, and then simply print the file contents.
  • GitHub Actions prints out logs of the virtual machine, which can be viewed.

Research:

TOREAD: Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests - Article TOREAD: Keeping your GitHub Actions and workflows secure Part 2: Untrusted input - Article

TOREAD: How to Hide Sensitive Things in GitHub Actions Logs - Article

TOREAD: How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects - Article

TOCHECKOUT: Project Vulnerabilites Check w/ Synk - GitHub Action

GitHub Repository + Actions Encrypted Secrets - Documentation Accessing Enviroments in workflows: - Stack Overflow

Using environments for deployment - GitHub Article Use GitHub Actions Encrypted-secrets, production and CI, store secrets in environment instead

[spencerlepine]

Fixed with PR #51