Pwning the CI (with GitHub Action Workflows) - Stephen Giguere, Bridgecrew
Abstract
Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is visible as much to willing contributors as it is to malicious subversives looking for the keys to the backdoor. In this talk we’ll start with basic social engineering and progress to demostrating live some known potential abuses to GitHub Actions workflows in combination with an insecure GitHub configuration to show how alluring defaults and straight-up bad practices can leave our supply chain, wide open to attackers.