Confirmed users
7
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 09:41, 19 May 2025
, 19 Mayadd a guideline about caching
(Needed to update and add the bulletpoints) |
(add a guideline about caching) |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 10: | Line 10: | ||
# Protect all workflows by requiring code reviews from folks who have familiarized themselves with the security issues of workflows. | # Protect all workflows by requiring code reviews from folks who have familiarized themselves with the security issues of workflows. | ||
# Perform a code review for any additional scripts that you run in the workflows, not only the commands which are directly included in the workflow file. Look for any commands vulnerable to code injection | |||
# Use scanning to detect problems and lack of best practices. | # Use scanning to detect problems and lack of best practices. | ||
# Treat GitHub actions as you would any 3rd party library shipped with your product. | # Treat GitHub actions as you would any 3rd party library shipped with your product. | ||
| Line 19: | Line 20: | ||
# When configuring automatic merging or making exceptions in the workflow for Dependabot, make sure to validate the user and not the actor in the Github action. | # When configuring automatic merging or making exceptions in the workflow for Dependabot, make sure to validate the user and not the actor in the Github action. | ||
#* Use the check "<code>github.event.pull_request.user.login == 'dependabot[bot]'</code>" instead of "<code>github.actor == 'dependabot[bot]'</code>" | #* Use the check "<code>github.event.pull_request.user.login == 'dependabot[bot]'</code>" instead of "<code>github.actor == 'dependabot[bot]'</code>" | ||
'''Additionally''', following a recent supply-chain attack involving the '''reviewdog/action-setup''' GitHub Action (March 2025), it is strongly recommended to: | '''Additionally''', following a recent supply-chain attack involving the '''reviewdog/action-setup''' GitHub Action (March 2025), it is strongly recommended to: | ||
| Line 27: | Line 27: | ||
* Immediately rotate any credentials (such as Personal Access Tokens, API keys, or other secrets) if you suspect exposure. | * Immediately rotate any credentials (such as Personal Access Tokens, API keys, or other secrets) if you suspect exposure. | ||
* Promptly update any third-party actions to their latest patched versions, and verify their integrity before use. | * Promptly update any third-party actions to their latest patched versions, and verify their integrity before use. | ||
== Resources and tools == | == Resources and tools == | ||
| Line 75: | Line 74: | ||
** Consider permitting only a specific revision (instead of relying on a version tag) | ** Consider permitting only a specific revision (instead of relying on a version tag) | ||
== Recommendations == | |||
=== Manage Sensitive Data Securely === | === Manage Sensitive Data Securely === | ||
| Line 104: | Line 82: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
.env | .env | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 133: | Line 106: | ||
If some permissions are required, set them to the minimum necessary. | If some permissions are required, set them to the minimum necessary. | ||
* When configuring workflows for automated merging or handling Dependabot pull requests, always validate the user initiating the request instead of the actor. For example, use: | === Implement Secure Configuration === | ||
* '''Perform Secure dependabot Validation''': When configuring workflows for automated merging or handling Dependabot pull requests, always validate the user initiating the request instead of the actor. For example, use: | |||
<syntaxhighlight lang="yaml"> | <syntaxhighlight lang="yaml"> | ||
github.event.pull_request.user.login == 'dependabot[bot]' | github.event.pull_request.user.login == 'dependabot[bot]' | ||
| Line 146: | Line 120: | ||
* '''Avoid Storing Tokens in Git''': Ensure tokens are not stored in your Git repository by adding relevant patterns to your <code>.gitignore</code> file and using GitHub Actions secrets to securely manage sensitive information. | * '''Avoid Storing Tokens in Git''': Ensure tokens are not stored in your Git repository by adding relevant patterns to your <code>.gitignore</code> file and using GitHub Actions secrets to securely manage sensitive information. | ||
*'''Avoid Using Caching for Privileged Jobs''': Caching in Github Actions is vulnerable to [https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/ cache poisoning]. If a code injection vulnerability is present in any of the workflows (whether they run in a privileged context or not), and you use caching in a higher privileged workflow, then code injection can be exploited to poison the cache and steal higher value secrets and credentials. | |||
=== Docker Security Best Practices === | |||
To enhance the security and efficiency of your Docker workflows, consider implementing the following best practices: | |||
==== Utilize a <code>.dockerignore</code> File ==== | |||
A well-configured <code>.dockerignore</code> file is essential for optimizing your Docker build process. It functions similarly to a <code>.gitignore</code> file by specifying which files and directories should be excluded from the build context. This practice reduces the build size, leading to faster builds, and prevents sensitive or unnecessary files from being included in your Docker images. | |||
* '''Exclude Version Control Directories''': Add <code>.git/</code> to your <code>.dockerignore</code> file to prevent the inclusion of Git configuration which could include the authentication token, history and metadata in your Docker image, thereby reducing image size and avoiding potential exposure of sensitive information. | |||
<syntaxhighlight lang="bash"> | |||
.git/ | |||
</syntaxhighlight> | |||
* '''Exclude Node Modules''': For Node.js projects, exclude the <code>node_modules/</code> directory to prevent unnecessary files from being added to the Docker image. | |||
<syntaxhighlight lang="bash"> | |||
node_modules/ | |||
</syntaxhighlight> | |||
* '''Exclude Temporary and Log Files''': Prevent temporary files and logs from being included in the image by adding patterns like: | |||
<syntaxhighlight lang="bash"> | |||
*.log | |||
*.tmp | |||
</syntaxhighlight> | |||
* '''Exclude GitHub Actions Credential Files''': Exclude credential JSON files (<code>gha-creds-*.json</code>) used in GitHub Actions workflows to avoid inadvertently including authentication data in Docker images. Alternatively, build Docker images before running the <code>google-github-actions/auth@v2</code> step in your GitHub workflow, ensuring these credentials aren't present in your build context. | |||
<syntaxhighlight lang="bash"> | |||
gha-creds-*.json | |||
</syntaxhighlight> | |||
===== Sample <code>.dockerignore</code> file ===== | |||
<syntaxhighlight lang="bash"> | |||
.git/ | |||
node_modules/ | |||
*.log | |||
*.tmp | |||
gha-creds-*.json | |||
</syntaxhighlight> | |||