Confirmed users
1,364
edits
(more recommendations for least privilege) |
(Added another scanning tool) |
||
Line 32: | Line 32: | ||
** [https://securitylab.github.com/research/github-actions-building-blocks/ Part 3] - Understanding the GitHub Action Supply Chain | ** [https://securitylab.github.com/research/github-actions-building-blocks/ Part 3] - Understanding the GitHub Action Supply Chain | ||
* Understand implications of running workflows on the [https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/events-that-trigger-workflows#pull_request_target <code>pull_request_target</code> event] (read the <code>Warning</code> section). | * Understand implications of running workflows on the [https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/events-that-trigger-workflows#pull_request_target <code>pull_request_target</code> event] (read the <code>Warning</code> section). | ||
* [https://www.synacktiv.com/publications/github-actions-exploitation-untrusted-input Real Life Misconfiguration] examples (2024-07-02) | |||
=== Scanning Tools === | === Scanning Tools === | ||
Line 40: | Line 41: | ||
*** [https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow Dangerous Workflow] | *** [https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow Dangerous Workflow] | ||
** '''''Note:''''' While the action has been approved for use in all organizations, it may not yet have been added to an organization you are working in. If you receive a message that the action is not available, please follow [[GitHub#github_actions|these instructions]] to have it added. | ** '''''Note:''''' While the action has been approved for use in all organizations, it may not yet have been added to an organization you are working in. If you receive a message that the action is not available, please follow [[GitHub#github_actions|these instructions]] to have it added. | ||
* [https://github.com/synacktiv/octoscan Local scan tool] which can check workflows on all branches. | |||
=== Supply Chain Hygiene === | === Supply Chain Hygiene === |