Skip to content

pagopa/example-bad-repo-packages

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

example-bad-repo-packages

This is a misconfigured repository to show how to modify a GitHub Package using write permission or GitHub Actions.

Reposiroty configuration:

  • main has branch protection enabled with a review from CODEOWNERS
  • anyone in PagoPA GitHub Organization has write permission on this repository
  • packages inherit access from source repository
  • repository package is a docker image
  • GitHub Actions has access to packages

You can check packages settings here https://github.com/orgs/pagopa/packages/container/example-bad-repo-packages/settings

Attack scenario #1:

  • a user with write permission can modify an existing docker image tagged v2 in packages using his personal PAT token
docker login ghcr.io
> insert GITHUB_USERNAME
> insert GITHUB_PAT_TOKEN
docker build -f Dockerfile.evil  -t ghcr.io/pagopa/example-bad-repo-packages:v2 .
docker image push ghcr.io/pagopa/example-bad-repo-packages:v2

Attack scenario #2:

  • a user with write permission can modify an existing docker image tagged v2 in packages creating a Pull Request (example Pull Request #1)

Safe scenario:

  • using docker image sha will prevent a possibile supply chain attack. Some artifact format doesn't support sha, for example maven, so you need to protect the write access to packages to prevent tampering.

How to configure the GitHub Packages safetly?

See this example https://github.com/pagopa/example-good-repo-packages

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages