Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New CS proposal: GitHub Actions #1306

Open
mleblebici opened this issue Feb 2, 2024 · 8 comments
Open

New CS proposal: GitHub Actions #1306

mleblebici opened this issue Feb 2, 2024 · 8 comments
Assignees
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. NEW_CS Issue about the creation of a new cheat sheet.

Comments

@mleblebici
Copy link
Contributor

What is the proposed Cheat Sheet about?

It will aim to provide guidance on configuring and utilising GitHub Actions securely.

What security issues are commonly encountered related to this area?

Github Actions security is needed to prevent supply chain attacks. GitHub Action injection attacks are also common, which can result in unauthorised code execution, modifying release packages, disclosure of secrets, etc.

What is the objective of the Cheat Sheet?

It will provide a comprehensive guide for developers and security practitioners with best practices and considerations for securing GitHub Actions workflows.

What other resources exist in this area?

There is an official hardening guide from Github. Even though it provides lots of guidance, there might be some additional things like whitelisting actions, using custom deployment protection rules, not using pull_request_target, etc. Also, to enable community support, it will be good to have an open-source guideline so that additional things can be added by the community.

@mleblebici mleblebici added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet. labels Feb 2, 2024
@szh
Copy link
Collaborator

szh commented Feb 5, 2024

This seems like a good idea. Can you explain what you would include in this that wouldn't be better suited for the existing CI/CD Security cheat sheet?

@mleblebici
Copy link
Contributor Author

Hello, the one you mentioned is covering all CI CD security risks from a broader perspective. The one I proposed is specific and limited to Github Actions. So, it would include specific examples for Github Actions and specific security practices that are available for Github Actions. For example, it would mention misuse of pull_request_target workflow trigger, which is specific to Github Actions and might not be relevant for other CI/CD components/solutions. Another example, CI/CD cheat sheet mentions Least Privilege, but provides general guidance due to its scope. In the proposed cheat sheet, it would provide more details on how it is achieved in the case of Github Actions like preventing Actions from creating pull requests, restricting workflow permissions. So in short, we may compare these two to Authorisation Cheat Sheet and Transaction Authorisation Cheat Sheet.

@szh
Copy link
Collaborator

szh commented Feb 8, 2024

Thank you. This sounds great to me. @jmanico @kwwall @mackowski what are your thoughts?

@jmanico
Copy link
Member

jmanico commented Feb 8, 2024

I like it

@kwwall
Copy link
Collaborator

kwwall commented Feb 8, 2024 via email

@szh szh added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Feb 8, 2024
@szh
Copy link
Collaborator

szh commented Feb 8, 2024

Awesome. @mleblebici do you want to work on this?

@mleblebici
Copy link
Contributor Author

Sure, we would like to work on this together with @jbrinksma.

@szh szh removed the HELP_WANTED Issue for which help is wanted to do the job. label Feb 9, 2024
@mackowski
Copy link
Collaborator

@mleblebici are you stil working on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. NEW_CS Issue about the creation of a new cheat sheet.
Projects
None yet
Development

No branches or pull requests

5 participants