Feature: dangerous CI #3630
Comments
laurentsimon
added
kind/enhancement
|
This is a cool and clever exploit, I think scorecard should try to check this by finding the build trigger in GitHub actions or by reading the configuration of the Cloud builder (AWS, GCP, etc.) Once we have the config we'd see who can trigger a build with arbitrary code and ensure that that's maintainers only or requires maintainer approval. We might need AWS/GCP creds to do it. But I think it'd be an entirely new check, like Dangerous-CI-Triggers or something similar. Btw, my thinking here is different from #3629 because this is more about the builder/it can be remediated by changing SCM settings/workflow settings and less about scanning AWS IAM, which is external to the SCM. |
|
This issue is stale because it has been open for 60 days with no activity. |
|
not stale |
|
This issue has been marked stale because it has been open for 60 days with no activity. |
Same as dangerous workflows, but for other CI. See https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit
The text was updated successfully, but these errors were encountered: