An attack vector Sysdig investigated that the GITHUB action was included that triggers on the trigger pull_request_target events. According to SYSDIG, the attack vector reveals the secret with permissions and a secret github tokens with permissions. And because the action is executed in the base repository, not the fork that triggers the bridge request, if applied without security measures, it can meet the repository acquisition.
“As we analyzed the results, we were surprised by the number of weak people pull_request_target We discovered the workflows, “Researchers wrote.” You can assume that these were limited to vague or passive repository, but it was not so. We found several high-profile projects, out of which thousands of unprotected configurations were still used. ,
Github action attacks become real
Github actions are a CI/CD (continuous integration and continuous distribution) service that enables developers to automate the software build and test by setting up workflows that are of specified events, such as when the new code is committed to repository. Workflows are said to have action packed in action, one .yml The file that is executed inside the virtual containers, usually on the infrastructure of the Github, and the compiled binergies, test results, logs, and so on.
