This repository contains writings, scripts, and other results of the GitHub Actions workflows vulnerabilities research.
If you're new to workflow vulnerabilities or looking for guidance, follow the overview.md to get started. Otherwise feel free to dive into a specific topic from the list below.
- Pwn Request via non-default branch
- Exfiltration of organization level secrets
- Related Work
- Assesing impact of GitHub Actions workflow vulnerability
- The
if
condition - The
GITHUB_TOKEN
- Tools
- How workflow run approvals work?
⚠️ this is an ongoing research and results will be published gradually
We're open to contributions! See the contributing guide for detailed instructions.
Thank you for peer reviewing the original research paper (not yet published):
- Alexey Pakharev
- Innokentii Sennovskii
- Mikhail Egorov
The research team:
- Artem Mikheev
- Danila Stupin
- Ilya Tsaturov
- Mikhail Egorov
- Nikita Stupin
Finally, we are very grateful to all other people who supported us directly or indirectly through their virtuous activities.
СI/CD systems allow us to offload routine tasks from humans to machines. In order to function, these systems require access to critical parts of infrastructure: code repositories, package registries, and secrets. Thus a breach in a CI/CD system may lead to a devastating supply chain compromise. Information security engineers do their best to make CI/CD systems secure. However, do we use these systems in a secure way?
This research was scoped to vulnerabilities in GitHub Actions workflows; platform vulnerabilities like Stealing arbitrary GitHub Actions secrets were left out of scope. Finally, we analyzed only repositories belonging to bug bounty programs and vulnerability disclosure programs.
In total we analyzed more than 40000 GitHub Actions workflows over the course of more than a year and half. We identified and reported more than 90 vulnerabilities most of which were accepted as Critical and High severity. We also found new variants of Pwn Request and Code / Command Injection vulnerabilities in GitHub Actions workflows and new types of vulnerabilities.
Rojan Rijal published a blog post on Code / Command Injection vulnerabilities in GitHub Actions workflows in Stealing secrets from GitHub Actions.
Later Jaroslav Lobačevski published an amazing series of blog posts on Pwn Request, Code / Command Injection in workflows and hardening techniques in Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests, Keeping your GitHub Actions and workflows secure Part 2: Untrusted input, Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks respectively along with dozens of GitHub Security Advisories.
Series of research by Adnan Khan focusing on self-hosted runners (One Supply Chain Attack to Rule Them All – Poisoning GitHub's Runner Images), cache poisoning (The Monsters in Your Build Cache – GitHub Actions Cache Poisoning and ActionsCacheBlasting) and TOCTOU (ActionsTOCTOU).
In GitHub Actions check-spelling community workflow - GITHUB_TOKEN leakage via advice.txt symlink by Justin Steven a vulnerability in the check-spelling/check-spelling dependency action rather than a workflow itself was described. This vulnerability made jekyll/jekyll
, microsoft/terminal
, PowerDNS/pdns
and other repositories vulnerable to unauthorized modification and secrets exfiltration. Also, RyotaK in Remote code execution in Homebrew by compromising the official Cask repository described another vulnerability which was not in the workflow itself but in a dependency.
Teddy Katz made several disclosures of GitHub Actions platform vulnerabilities in Stealing arbitrary GitHub Actions secrets, How I accidentally took down GitHub Actions and others which inspired several techniques.
Omer Gil in Bypassing required reviews using GitHub Actions presented a technique to abuse GitHub Actions to bypass some review processes by leveraging the fact that the github-actions[bot]
user has write access to a repository.
Grayson Hardaway showed how to identify vulnerabilties in GitHub Actions workflows using Semgrep in Protect Your GitHub Actions with Semgrep
. They also discussed the dangers of using the ACTIONS_ALLOW_UNSECURE_COMMANDS
environment variable.
How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects by Alex Ilgayev shows advanced exploitation techniques, particularly exfiltration of organization level secrets.
Nathan Davison in Shaking secrets out of CircleCI builds - insecure configuration and the threat of malicious pull requests discovered that CircleCI projects can be configured in a way that anyone can exfiltrate secrets with a malicious Pull Reques. And shared a non-intrusive technique to identify such vulnerabilities. They also published his findings on GitHub Actoions vulnerabilities in Github Actions and the threat of malicious pull requests.
Alex Birsan published a great blog post Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies on abusing name collisions of public npm, PyPI and RubyGems registries. Later Kamil Vavra and Gal Nagli expanded dependecy confusion topic to WordPress plugins in WordPress Plugin Confusion: How an update can get you pwned and Wordpress Plugin Update Confusion - The full guide how to scan and mitigate the next big Supply Chain Attack. These writings helped us to develop several gadgets.
0xn3va/cheat-sheets/CI CD/Github gathers knowledge about GitHub Actions workflows security. Similar to this repository.
Identifying vulnerabilities in GitHub Actions & AWS OIDC Configurations is more about how AWS roles can be misconfigured but related to the GitHub Actions context.
What the fork? Imposter commits in GitHub Actions and CI/CD showcases a technique where you can reference malicious content from a fork even if it has not been merged. Keep in mind that it may need some sort of social engineering.
LOTP - Living Off The Pipeline a collection of gadgets.
GITHUB ACTIONS EXPLOITATION: DEPENDABOT by Hugo Vincent sharing an interesting technique that exploits workflows that automerge pull requests from Dependabot.