- Sysdig exposed how a trusted github feature can silently control the attackers
- Pull_request_target is not just risky, it is a weapon loaded in the wrong hands
- Even top -level safety projects such as Miter’s can fall into simple erroneous configurations of github workflow
Experts have revealed several critical vulnerabilities in Github Actions’s workflows that could represent serious risks for some important open source projects.
Recent research conducted by the Sysdig threat research team (TRT) has exposed how erroneous configurations, particularly that they involve the trigger Pull_request_target, could allow the attackers to seize control over active repositories or extract sensitive credentials.
The team demonstrated this by committing projects of organizations known as Miter and Splunk.
Github actions are widely adopted in modern software development for their automation capabilities, but this convenience often hides safety risks.
“Modern attacks of the supply chain frequently begin abusing insecure workflows,” says the report, pointing out how secrets as tokens or passwords integrated into workflows can be exploited if they are assured incorrectly.
Despite the best practices and documentation available, many repositories continue to use high -risk configurations, either due to supervision or lack of consciousness.
In the nucleus of the problem is the pull_request_target, which executes workflows in the context of the main branch.
This configuration grants high privileges, including access to the secrets of Github_token and Repository, to the code sent from forks.
While it is intended to facilitate prior to fusion tests, this mechanism also allows the execution of the non -reliable code, creating an attack surface that is easily overlooked.
The risks are not hypothetical, they are real.
In the Spotipy repository, which is integrated with the Spotify website, Sysdig discovered a configuration in which a designed setup. could execute code and reap secrets.
In the Miter (CAR) cybersecurity analysis repository, the attackers were able to execute arbitrary code by modifying the units.
Sysdig confirmed that it was possible to take care of the Github account associated with the project.
Even Splunk’s Security_ Contest repository had secrets as appinspectusername and AppinspectPasword exposed, despite the limited scope of the github_token.
Developers must reassess the use of Pull_request_target, considering safer alternatives: Sysdig recommends separating workflows, using non -privileged checks first and only allowing confidential tasks after validation.
Limiting tokens capabilities and real -time monitoring adoption with tools such as Falco actions can also provide vital protection.
