GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions

Added another scanning tool
(more recommendations for least privilege)
(Added another scanning tool)
Line 32: Line 32:
** [https://securitylab.github.com/research/github-actions-building-blocks/ Part 3] - Understanding the GitHub Action Supply Chain
** [https://securitylab.github.com/research/github-actions-building-blocks/ Part 3] - Understanding the GitHub Action Supply Chain
* Understand implications of running workflows on the [https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/events-that-trigger-workflows#pull_request_target <code>pull_request_target</code> event] (read the <code>Warning</code> section).
* Understand implications of running workflows on the [https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/events-that-trigger-workflows#pull_request_target <code>pull_request_target</code> event] (read the <code>Warning</code> section).
* [https://www.synacktiv.com/publications/github-actions-exploitation-untrusted-input Real Life Misconfiguration] examples (2024-07-02)


=== Scanning Tools ===
=== Scanning Tools ===
Line 40: Line 41:
*** [https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow Dangerous Workflow]
*** [https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow Dangerous Workflow]
** '''''Note:''''' While the action has been approved for use in all organizations, it may not yet have been added to an organization you are working in. If you receive a message that the action is not available, please follow [[GitHub#github_actions|these instructions]] to have it added.
** '''''Note:''''' While the action has been approved for use in all organizations, it may not yet have been added to an organization you are working in. If you receive a message that the action is not available, please follow [[GitHub#github_actions|these instructions]] to have it added.
* [https://github.com/synacktiv/octoscan Local scan tool] which can check workflows on all branches.


=== Supply Chain Hygiene ===
=== Supply Chain Hygiene ===
Confirmed users
1,364

edits