GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions

GitHub/Repository Security/GitHub Workflows & Actions (view source)

428 bytes added , 4 September 2024

m

adding a note about validating dependabot in a secure way based on bug https://bugzilla.mozilla.org/show_bug.cgi?id=1914746

Confirmed users

7

edits

@@ Line 17: / Line 17: @@
 #* Explicitly set "<code>persist-credentials: false</code>" when using the "<code>actions/checkout</code>" action. (Prevent hidden state.)
 #* Explicitly unset <tt>GITHUB_TOKEN</tt> when not needed at the workflow or job level with "<code>permissions: {}</code>".
+# When configuring automatic merging or making exceptions in the workflow for Dependabot, make sure to validate the user and not the actor in the Github action.
+#* Use the check "<code>github.event.pull_request.user.login == 'dependabot[bot]'</code>" instead of "<code>github.actor == 'dependabot[bot]'</code>"
@@ Line 33: / Line 35: @@
 * Understand implications of running workflows on the [https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/events-that-trigger-workflows#pull_request_target <code>pull_request_target</code> event] (read the <code>Warning</code> section).
 * [https://www.synacktiv.com/publications/github-actions-exploitation-untrusted-input Real Life Misconfiguration] examples (2024-07-02)
+* [https://www.synacktiv.com/publications/github-actions-exploitation-dependabot Exploiting Dependabot] (2024-08-06)
 === Scanning Tools ===