►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Pwning the CI (with GitHub Action Workflows) - Stephen Giguere, Bridgecrew
Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is to malicious subversives looking for the keys to the backdoor. In this talk we'll start with basic social engineering and progress to demostrating live some known potential abuses to GitHub Actions workflows in combination with an insecure GitHub configuration to show how alluring defaults and straight-up bad practices can leave our supply chain, wide open to attackers.
A
All
right,
I'm
gonna
go
I,
don't
know
if
they
do
intros
in
this
room.
I'll
just
do
both
hi
welcome
to
security,
con
Cloud
kubecon.
This
is
my
first
time
ever
talking
one
of
these.
So
what
could
go
wrong
right?
I
got
a
lot
of
moving
Parts
I'm,
trying
to
warm
this
room
up
for
probably
better
things
to
come.
A
A
This
is
pulling
the
CI
and
I'll
just
dive
straight
to
it.
The
story
behind
this
I
was
asked
to
research
this,
because
this
happened
to
our
open
source
project
checkoff.
We
got
a
pull
request
one
day
from
this
guy
and
I'm,
going
to
just
highlight
that,
because
there's
a
little
re
return
to
that
earlier,
because
this
this
talk,
it's
more
interesting
as
time
goes
on,
because
weird
stuff
keeps
happening
to
us,
but
you
can
see.
There's
a
name
up.
A
A
So
obviously
we
didn't
accept
this
PR
almost
did,
but
that
would
have
been
bad
because
our
cell
phone
surrender
has
also
some
information
on
it.
Both
in
terms
of
environment
variables
see
my
processes
are
running.
These
are
all
bad
things,
so
I
was
then
rcto
BRAC
said:
can
you
just
like
dive
into
this?
How
bad
could
it
have
been
for
us?
So
I
did
and
that's
this
is
kind
of
result.
The
first
thing,
of
course,
was
I
had
to
break
the
news
to
him
that
generally
running
self-hosted
Runners
on
open
source
project
is
considered
bad.
A
But
of
course,
if
you
look
out
in
the
world
and
see
how
many
people
actually
use
self-hosted
Runners
on
public
projects,
all
right,
let's
just
forget
what
best
practices
are
and
just
go
with
the
actual
reality
of
what's
really
happening
and
I
have
a
link
down
there.
You
don't
have
to
take
photos
of
Links
at
the
very
end.
I
have
one
one
slide
that
has
every
link
that
I
use.
So
if
you
just
want
to
go
click
and
look
around,
then
you
can
do
that.
This
is
the
obligatory
me
slide.
A
Where
I
inflate
my
ego,
the
cloud
native
security,
Advocate
I
work
for
bridge
crew,
Bridge
crew
is
bought
by
prismacloud,
which
is
Palo
Alto
networks.
It's
like
it's
I'm,
not
sure
who
I
work
for
somebody.
I've
been
writing
code
since
the
19th
and
doing
a
lot
of
security
thingies.
If
you're
ever
in
London,
England
ping
me
and
come
to
our
Meetup,
we
run
a
meet
up
in
London
called
devsecops
London
Gathering
every
month.
A
I
have
a
lot
of
wonderful
guests
on
there
and
if
you
ever
want
to
kill
an
hour
on
a
Friday
around
three
three
o'clock,
there's
a
show
on
Twitch
called
c9k.
It
used
to
be
called
something
quite
profane
turns
out.
Youtube
doesn't
like
that.
So
we
had
to
change
the
name.
There's
a
perfectly
innocent
QR
code.
Go
ahead
and
scan
that
so
get
imagine,
workflows,
hands
up
if
you
use
GitHub
action,
workflows
great,
so
I
can
speed
through
this.
A
So
I
do
a
lot
of
grabbing
the
the
actual
text
from
GitHub,
because
their
own
help
I
found
kind
of
takes
you
down
the
wrong
path
sometimes,
but
this
is
just
what
it
says.
It
says
you
can
create
workflows
to
do
what
three
things
build
your
application,
deploy
your
application
or
do
just
stop
like
add
a
label
to
an
issue.
You
can
sanitize
an
issue,
Etc
I'm,
going
to
be
doing
some
of
these
things
live,
so
if
it
all
blows
up
in
my
face,
that's
what
it's
going
to
do
today.
A
The
fundamental
problem
generally,
is
that
if
you
submit
a
pull
request
like
this
person
tried
to
do
that
is
in
the
GitHub
workflows
path,
it
will
try
and
execute
the
workflow.
It
doesn't
know
the
difference
between
a
pre-existing
workflow
and
one
that
you're
sending
in
is
the
commit
which
is
weird.
A
The
other
thing
is
that
a
lot
of
the
creation
of
workflows
is
generally
done
by
people
who
weren't
appsec
professionals
and
they
don't
quite
have
the
mentality
of
sanitizing
your
inputs.
Yet
so
you've
got
things
like
issue
name
issue
description.
The
list
of
potential
inputs
is
actually
pretty
big,
and
particularly,
if
you
use
things
like
workflow
run
triggers
where
you're
feeding
one
workflow
into
another,
then
it
really
complicates
what
is
considered
input
our
user
controlled
input.
A
So
a
lot
of
people
aren't
doing
that
and
there's
a
lot
of
things
that
can
happen
as
a
result
of
that
and
the
last
one,
of
course,
that
workflow
directory
it
doesn't
have
special
permissions.
You
can
add
permissions
to
it,
but
by
default
anything
anybody
can
submit
anything
to
it.
So
that's
not
great.
A
So
as
a
result
of
that
there's
a
few
things
that
can
happen
across
all
of
these.
So
if
you're,
not
sanitizing
inputs,
you
can
do
some
kind
of
command
injection
into
there.
If
I
know
that
you're
using
something
to
build
or
even
deploy,
then
I'm,
assuming
that
you
might
have
some
access
to
credentials
on
your
self-hosted
Runner.
So
what
can
I
do
to
try
and
Achieve
acquiring
those
credentials
and
execute
some
form
of
supply
chain
attack,
so
this
is
this
is
what
I
was
challenged
with.
A
What
I
found
kind
of
confusing
down
to
the
box
is
some
of
the
reactions
GitHub
has
when
you
are
a
new
contributor,
like
the
first
one
up
there.
Let's
just
do
this.
This
is
exactly
what
happened
to
us
and
actually,
if
we
go
here,
you
can
see.
I've
got
two
people
here.
I've
got
this
a
malicious
person
called
Loud
Canadian
and
then
I
have
this
nice
person
over
here
called
eurogig
who's.
Just
trying
to
maintain
this
wonderful
application
and
I've
submitted
a
pull
request
and
sure
enough.
A
Which
actually
I
am
going
to
click
now
because
I
don't
mind
just
to
kind
of
push
things
along
I'm
going
to
merge
this
pull
request
I'm,
going
to
confirm
the
marriage
fabulous
awesome.
So
now
this
person
is
a
wonderful
contributor.
So
what
happens
in
GitHub?
Is
you
don't
get
these
instructions
on
the
top
you
just
weren't
there.
A
This
is
from
the
help,
and
that
does
warn
you
that
if
the
contribution
is
in
the
GitHub
workflows
directory
be
alert
fantastic,
what
could
go
wrong
if
you
have
no
workflows
whatsoever,
it
kind
of
scolds
you
and
says
hey.
Why?
Don't
you
have
workflows
come
on
man?
You
can?
You
could
use
this
to
catch
bugs
and
enforce
style.
Workflows
are
a
good
thing
for
security.
A
A
The
default
for
outside
collaborators
is
that
you
only
require
approval
for
the
first
thing
you
do,
which
I
just
did
once
you've
done
that
you're
an
Insider
awesome,
so
it's
far
easier
to
become
a
malicious
Insider,
just
by
changing
a
readme
or
going
to
the
good
first
issues
and
doing
something
really
simple
and
then
you've
bypassed
this
whole
workflow
conundrum
sounds
a
little
too
good
to
be
true,
so
I
have
just
submitted
something.
Here's
the
first
thing
I'm
going
to
play
with
now,
which
is
unsanitized
inputs
to
workflows.
A
Here's
an-
and
this
is
me
looking
around-
for
how
do
people
do
this
in
the
real
world?
So
I
look
just
look
for
GitHub
event,
issue.
Title
I
found
this
one,
which
was
pretty
cool
somebody's,
creating
generating
blog
Pages
based
on
issues
that
are
submitted,
that's
kind
of
neat.
So
what
if
I
create
an
issue
with
a
title
that
has
a
bunch
of
HTML
in
it
that
might
fish
for
information?
When
someone
goes
to
that
blog
page,
there
isn't
any
real
Auto
sanitization
of
what
the
issue
title
can
be.
A
A
Then,
when
I
just
submitted
a
moment
ago,
here
we
can
take
a
look
at
the
files
changed.
Is
that
one
that
is
designed
to
look
like
a
positive
contribution?
I'm
checking
the
input,
GitHub
event
issue
title
to
make
sure
it
formats
to
a
certain
way
and
I
look
like
I'm
contributing
to
the
project
in
a
positive
way,
which
is
great
and
that's
it
there
it's
great.
Unless,
if
I
create
an
issue-
and
you
probably
would
think
surely
GitHub
won't,
let
you
create
an
issue
with
this
weird
title?
A
A
A
A
Everybody
knows
what
a
back
dick
does
fabulous,
because
the
even
if
I,
see
equals
or
I
assign
the
value
or
do
anything
and
I
get
a
workflow.
It
happens
in
a
batch
script
basket
basket.
Seeds,
a
backtick
and
it's
like
cloud
formation
sees
a
dollar
squiggle.
It
tries
to
resolve
the
meaning
of
it
before
it
does
the
assignment
so
I
hadn't
really
screwed
this
up.
So
if
I
create
this
issue,
issue.
A
Go
back
to
my
web
hook
site
and
so
I
now
have
all
the
environment
variables
from
that
particular
Runner.
By
the
way,
if
you
ever
use
webhook.site,
it's
awesome
just
for
testing
things.
It's
also
good
for
messing
with
people,
but
it
was
kind
of
that
easy.
So
that
was
like
the
first
thing
ever
was
like
all
right.
So
any
of
these
sites
that
are
doing
any
kind
of
input,
sanitization
I,
can
now
just
vacuum
out
all
of
their
environment
variables
in
a
much
easier
way
than
what
was
attempted
on
us.
A
So
that
was
interesting
thing
number
one,
but
there's
ways
to
protect
yourself
from
this
like
there
are
Environmental
Protection
rules
and
environmental
secret
rules
that
already
exist.
There's
a
link
down
the
bottom.
So
if
something
you're
watching
that
you're
going,
oh,
maybe
I
should
only
give
certain
workflows
certain
access
to
certain
environment,
variables
and
secrets
you
should.
A
The
link
will
be
at
the
end.
It
looks
as
simple
as
environment,
name
the
environment
Etc.
So
it's
a
really
really
simple
things:
to
implement.
Generally
I
found
that
you
should
nearly
never
have
like
hard-coded
credentials,
even
if
you
think
they're
stored.
As
Secrets
you'll
find
out
later,
why
about
that?
But
it's
not
a
good
thing.
Short-Lived
tokens
are
important.
A
If
you
use
self-hosted
Runners,
it
can
be
an
advantage
because
you
can
create
lists
that
and
make
sure
that
your
only
certain
IPS
can
talk
to
certain
IPS
so
that
cell
phone
supporters
can
be
an
advantage
in
AWS
reporting
is
important.
Openid
connect,
GitHub
actions
does
use
oidc,
it
doesn't
use
spiffy
Spire,
unfortunately
yet,
but
if
you
can
make
sure
you
use
that
to
access
any
kind
of
cloud
provider,
definitely
do
that
instruction,
specific
or
Amazon
are
down
there
and
also
just
generic
ones
for
github.com.
A
So
when
this
happened,
it
was
really
fascinating,
because
our
own
repo
wasn't
as
secure
as
we
really
thought.
It
should
be
number
two
I'm
not
going
to
show
this
one,
but
I
just
find
it
fascinating.
Maybe
I
will
show
it
later.
So
this
brought
me
to
Branch
protection
rules.
You
should
always
have
your
branch
production
turned
on
what
was
amazing
about
when
Chekhov
first
started.
We
were
a
startup
and
we
didn't
know
how
popular
it
was
going
to
get
so
it
must
have
had
a
thousand
stars
before
we
had
Branch
protection
turned
on.
A
It
seems
crazy,
but
we
were,
and
we
were
inviting
collaborators
like
anybody,
help
help
and
that
when
that
turns
into
a
SAS
solution,
you
become
a
startup
and
you're
like.
Maybe
we've
got
to
go
back
to
the
original
effort
that
we
could
have
quickly
sped
ahead
on.
If
you
turn
on
Branch
protection,
you
should
almost
have
everything
ticked.
Nobody
ever
does
if
you
do
tick
by
default.
A
The
first
thing
require
a
pull
request
for
emerging,
which
you
should
you
require
approvals,
which
you
should
a
lot
of
people
think
they're
done,
but
the
default
down
there
of
one
is
kind
of
where
it
gets
a
little
dicey,
because
you
can
approve
yourself
so
over
here.
This
changed
in
April
this
year
this
year,
the
default.
This
is
what
you
should
have
for
workflow
permissions.
This
is
the
the
good
thing
read
repository
content
is
permission
in
a
workflow.
This
is
what
the
GitHub
token
should
be
able
to
do.
A
That's
not
the
default,
though
the
default
is
that
there
was
about
a
day
or
a
week
or
something
where
the
default
was
the
correct
default
for
new
repos
and
everybody
freaked
out,
because
they
weren't
expecting
that
to
be
the
default,
and
so
they
went
back
to
that.
So
just
to
know
that's
there.
So
if
you
create
a
new
repo,
the
GitHub
token,
if
you
will
have
a
way
more
access
than
you
think,
it's
the
difference
between
these
that
middle
column.
A
So
I
hope
it's
not
too
small
I'll
show
it
again
later,
but
to
do
a
curl,
but
little
workflow
I
was
surprised
to
see
and
by
the
way,
if
anybody
from
cider
security
is
here.
This
is
their
research,
not
mine.
You
have
everything
you
need
to
do.
A
curl
command.
You've
got
the
GitHub
repository.
You
get
the
GitHub
event
number,
which
is
the
pull
request.
You've
got
the
secret
GitHub
token,
like
you
can
just
assemble
a
command.
A
That's
not
all
you
can
do
there's
a
lot
of
things.
This
is
just
going
to
get
your
imagination
going
all
right.
So
the
last
one
fingers
crossed
the
works.
This
is
the
one
that
I
tried
to
submit
because
I
thought
this
is
the:
how
bad
could
it
be
section
so
zooming
in
on
there
I
thought
all
right,
so
I
can
get
the
environment
variables.
How
can
I
get
the
secrets?
A
How
long
can
I
the
GitHub
token
be
alive
for
the
GitHub
token
dies
at
the
moment
the
job
dies,
so
I
stick
a
sleep
in
there
and
now
I
get
a
GitHub
token
as
well,
and
the
secrets
and
the
environment
rows
cool
and
then
I
was
kind
of
feeling
nasty.
So
I
did
this
version,
which
I
thought
all
right.
Well,
what
if
I
could
do
a
reverse
shell
and
then
send
that
out
to
myself
and
then
that
would
make
everything
persist
for
as
long
as
I
wanted,
so
I
thought
yeah
I'll!
Do
that
one!
A
A
A
I
just
got
an
email
telling
me
I'm
at
it.
Yeah
also
add
to
main
I'm
going
to
turn
this
on.
There
we
go
now.
I
should
have
a
lot
of
this
stuff
turned
on,
but
I.
Don't
know
why
anybody
would
turn
on
do
not
allow
bypassing.
Why
is
that
even
there
there's
some
weird
stuff
in
Branch
protection,
nice,
so
I'm
all
set
up
there
I've
got
code.
A
A
I,
if
you're
going
to
add
something
dodgy,
don't
call
it
pone.aml,
that's
that's
a
dead
giveaway,
that's
a
little
tip
for
you
budding
hackers
out.
There
is
my
file
now
the
difference
between
this
one,
the
one
I
just
showed
you
is.
This
actually
has
the
audio
approvement
as
well
just
for
kicks
up
here.
That's
you
probably
need
a
telescope
to
read
that,
but
here
we
go
okay,
so
I
have
my
little
Auto
approve
in
there,
which
should
in
theory,
work.
A
A
A
The
idea
of
getting
a
being
able
to
run
things
in
shells
is
one
thing,
but
to
be
able
to
destroy
evidence
of
and
be
able
to
have
full
access
to.
The
repository
that
I
just
took
over
make
changes
to
pretty
much
anything
in
the
code
change
the
adjacent
code
if
it's
a
shared
self-hosted,
Runner
and
even
turn
off
the
pull
request
remotely
so
that
I
can
stay
on
the
self-hosted
runner
independent
of
GitHub.
Now.
A
If
you're
in,
if
you're
taking
part
in
the
CTF,
pretty
much
all
the
things
that
you
want
to
do
on
the
CDF
I
can
start
looking
for
AWS
information
that
might
be
still
as
environment
variables.
I
can
change
the
logging
level
on
the
runner
that
I'm
on
right
now
I
could
get
it
to
report
back
to
me,
I
can
I
can
add
my
own
SSH
token.
So
I
can
come
back
directly
to
the
runner.
With
all
of
this
staff,
I
can
look
with
processes.
A
The
network
I
can
look
for
access
to
S3
buckets
so
much
I
can
do
now.
The
next
thing,
I
want
to
say
is
important
information,
I'm
saying
don't
be
a
bif.
You
recognize
this
from
Back
to
the
Future.
Don't
be
a
Biff
with
this
information,
the
thing
that
started
all
this.
This
is
where
it
changed
a
month
ago.
This
crossed
my
path
in
my
mass
network
of
information
that
comes
to
me
via
newsletters,
and
whatever
this
came
in
and
I
was
like.
Oh
Zucker,
punch
abusing
stuff
was
good
I'm
running
to
Facebook.
A
A
I
looked
at
what
was
happening
here,
he
says
Facebook
actually
was
Pi
torch,
which
is
Facebook,
which
is
now
Linux
Foundation,
and
he
goes
through
all
of
his
he's
kind
of
bragging
about
everything
that
he
did
all
the
way
through
and
really
it
turned
out.
Ollie
was
was
after
money,
he's
calling
it
a
bug.
Bounty.
There
was
no
bug
Bounty,
but
he
just
went
through
and
was
like
using
this
thing,
but
now
I
realized.
A
We
were
part
of
the
whole
scatter
gun
approach
to
trying
to
find
people
who
had
misconfigured,
GitHub
or
insecurely
considered
GitHub
and
I'm
like
you,
could
have
really
messed
with
us,
like
if
we'd
clicked,
that
that
would
have
really
bad
for
our
own,
because
checkout
is
what
powers
our
commercial
solution
and
that
would
have
been
not
cool,
and
so
my
little
comment
on
that
is
that
I
don't
think
it's
pretty
like
I
love,
bug,
bounties,
I,
think
they're
a
great
idea.
They
make
us
more
secure.
A
Do
it
on
actual
bug,
bounties
that
just
I
just
thought
the
behavior
was
terrible.
The
good
thing
about
his
article
is
that
because
he
was
actually
doing
this
to
real
people,
he
got
observations
that
I
couldn't
get.
He
did
find
out
that
many
self-hosted
Runners
did
have
access
to
S3
buckets.
He
did
find
out
that
many
had
access
to
ECR
without
ecr's
immutable
tagging,
so
he
could
change
the
images
while
maintaining
the
tag,
thus
supply
chain
attack.
A
A
Self-Hosted,
Runners
and
public
repositories
are
being
targeted,
I
mean
Branch.
Protection
is
important
more
than
one
reviewer,
but
there's
lots
of
things
inside
Branch
protection.
You
really
should
read
every
single
one
and
make
sure
you
understand
what
they
are:
don't
run
workflows
unless
you're
100,
sure,
Environmental,
Protection,
short
lifespan,
tokens
of
any
kind,
but
preferably
open,
ID
connect.
A
A
A
Open
ssf
scorecard
anybody
using
that,
yes,
it
rocks
it'll
check,
so
many
of
the
things
that
I
just
talked
about
Branch
protection
contributors
from
at
least
two
different
organizations,
which
I
thought
was
funny,
because
I
did
that
in
order
to
become
a
bad
contributor,
but
I
really
like
the
avoid
dangerous
coding
patterns.
I
did
a
lot
of
playing
with
that
to
see
what
it
would
find
and
it
was
actually
pretty
good
declarative
I
mean
that's,
not
everything
it
does.
A
It
does
awesome
all
sorts
of
awesome
things
just
checking
the
security
of
the
repository
and
the
way
it
is
tested
in
general.
That's
a
definite
use
it,
the
other
one
I
would
be
remiss
if
I
didn't
plug
the
own
project.
I
work
on,
but
the
reason
we
did
this
was
to
add
rules
to
check
off
that
look
for
the
sort
of
same
sort
of
things.
So
we've
got
strange
patterns
that
look
for
many
uses
of
curl
inside
of
workflow.
A
We
have
some
overlap
with
the
open
ssf
as
well,
because
we
do
scan
the
apis
and
we
look
at
Branch
production
being
enabled
and
they'll
also
things
like
that,
so
there's
a
bit
of
a
Venn
diagram
there,
but
using
both
certainly
would
get
you
a
long
way
to
stopping
me
doing
anything
like
I
just
did
there,
and
that
is
the
end,
and
these
are
all
the
links
I
used.
So
if
you're
curious
to
read,
you
can
go
for
it.
A
A
A
You
can
do
dialysis
in
my
organization,
apply
this
policy
to
them
and
then
Auto
fix
or
open
issues
if
it
doesn't
provide
cool
All-Star
everybody
get
that
it's
like
open
ssf,
but
like
huge
yeah
same
makes
sense
awesome
thanks
for
watching
that.
If
that's
it
great,
oh
well
again,
I
mean
thank
you
for
asking
questions.