-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New CS proposal: GitHub Actions #1306
Comments
This seems like a good idea. Can you explain what you would include in this that wouldn't be better suited for the existing CI/CD Security cheat sheet? |
Hello, the one you mentioned is covering all CI CD security risks from a broader perspective. The one I proposed is specific and limited to Github Actions. So, it would include specific examples for Github Actions and specific security practices that are available for Github Actions. For example, it would mention misuse of pull_request_target workflow trigger, which is specific to Github Actions and might not be relevant for other CI/CD components/solutions. Another example, CI/CD cheat sheet mentions Least Privilege, but provides general guidance due to its scope. In the proposed cheat sheet, it would provide more details on how it is achieved in the case of Github Actions like preventing Actions from creating pull requests, restricting workflow permissions. So in short, we may compare these two to Authorisation Cheat Sheet and Transaction Authorisation Cheat Sheet. |
Thank you. This sounds great to me. @jmanico @kwwall @mackowski what are your thoughts? |
I like it |
Sounds good to me.
…-kevin
On Thu, Feb 8, 2024, 4:29 PM Jim Manico ***@***.***> wrote:
I like it
—
Reply to this email directly, view it on GitHub
<#1306 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PGZUULGEWIGACRARIQTYSU7SPAVCNFSM6AAAAABCWO7TIWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZUHE3DEMBZHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Awesome. @mleblebici do you want to work on this? |
Sure, we would like to work on this together with @jbrinksma. |
@mleblebici are you stil working on this? |
What is the proposed Cheat Sheet about?
It will aim to provide guidance on configuring and utilising GitHub Actions securely.
What security issues are commonly encountered related to this area?
Github Actions security is needed to prevent supply chain attacks. GitHub Action injection attacks are also common, which can result in unauthorised code execution, modifying release packages, disclosure of secrets, etc.
What is the objective of the Cheat Sheet?
It will provide a comprehensive guide for developers and security practitioners with best practices and considerations for securing GitHub Actions workflows.
What other resources exist in this area?
There is an official hardening guide from Github. Even though it provides lots of guidance, there might be some additional things like whitelisting actions, using custom deployment protection rules, not using pull_request_target, etc. Also, to enable community support, it will be good to have an open-source guideline so that additional things can be added by the community.
The text was updated successfully, but these errors were encountered: