Listen to this Post
Introduction
Continuous Integration/Continuous Deployment (CI/CD) pipelines are critical for modern DevOps workflows, but they are increasingly targeted by attackers. A recent exploit involves abusing GitHub pull request triggers to execute malicious code on self-hosted runners. This article explores the attack methodology, mitigation strategies, and best practices for securing your pipelines.
Learning Objectives
- Understand how attackers exploit pull request triggers in GitHub Actions.
- Learn defensive techniques to harden self-hosted CI/CD runners.
- Discover tools and commands to audit pipeline security.
You Should Know
1. Exploiting GitHub Pull Request Triggers
Attackers can submit malicious pull requests (PRs) that trigger workflows with embedded harmful code. Below is an example of a vulnerable GitHub Actions workflow:
on: pull_request: branches: [ main ] jobs: build: runs-on: self-hosted steps: - run: echo "Malicious code executed!"
Mitigation Steps:
- Restrict workflow triggers to trusted branches (
pushinstead of `pull_request` where possible).
2. Use `pull_request_target` cautiously and validate PR sources.
3. Implement branch protection rules in GitHub.
2. Hardening Self-Hosted Runners
Self-hosted runners are prime targets. Use these commands to audit runner security:
Linux:
Check active processes on the runner ps aux | grep -i "actions-runner" Inspect network connections ss -tulnp | grep "runner"
Windows:
List running services related to GitHub Actions
Get-Service | Where-Object { $_.DisplayName -like "Actions" }
Best Practices:
- Isolate runners in a DMZ or ephemeral environments.
- Regularly rotate runner tokens and credentials.
3. Auditing GitHub Actions Permissions
Review workflow permissions to prevent excessive access:
Use GitHub CLI to audit workflows gh workflow list gh workflow view <workflow_id>
Key Settings to Adjust:
- Limit `permissions` scope in workflows (e.g., `read-only` for secrets).
- Use OpenID Connect (OIDC) for cloud provider authentication instead of long-lived secrets.
4. Detecting Malicious Workflow Runs
Monitor suspicious activity with GitHub’s audit log:
Fetch recent audit log entries (requires admin access)
gh api -H "Accept: application/vnd.github.v3+json" /orgs/{org}/audit-log
Red Flags:
- Unexpected workflow triggers from unknown contributors.
- Unusual artifact downloads or secret accesses.
5. Automating Pipeline Security with Sigstore
Sigstore helps verify workflow integrity. Install `cosign` to verify container images:
Verify an image’s signature cosign verify ghcr.io/your-repo/image@sha256:1234 \ --certificate-identity https://github.com/your-org/your-repo/.github/workflows/ci.yml
Benefits:
- Ensures only signed, trusted code executes in pipelines.
What Undercode Say
- Key Takeaway 1: CI/CD pipelines are high-value targets; attackers exploit misconfigured workflows to gain persistent access.
- Key Takeaway 2: Self-hosted runners require strict isolation and monitoring to prevent lateral movement.
Analysis:
The rise of CI/CD exploits underscores the need for shift-left security. Organizations must adopt granular permissions, ephemeral runners, and artifact signing to mitigate risks. Training teams—like White Knight Labs’ DEF CON course—is critical to staying ahead of evolving threats.
Prediction
As DevOps adoption grows, CI/CD attacks will escalate, with adversaries targeting software supply chains more aggressively. Proactive measures, such as automated policy enforcement and real-time anomaly detection, will become standard in secure pipeline design.
Register for White Knight Labs’ DEF CON Course:
- $200 Discount Link (Code:
DCTLV25-WKL) - Course Details
Stay updated with the latest threats by subscribing to White Knight Labs’ YouTube channel.
IT/Security Reporter URL:
Reported By: White Knight – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
