Confirmed users
7
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 16:06, 21 March 2025
, 21 MarchAdded a advisory following the recent github tnj action compromise
(Added a Docker Security Best Practices Section) |
(Added a advisory following the recent github tnj action compromise) |
||
| Line 19: | Line 19: | ||
# When configuring automatic merging or making exceptions in the workflow for Dependabot, make sure to validate the user and not the actor in the Github action. | # When configuring automatic merging or making exceptions in the workflow for Dependabot, make sure to validate the user and not the actor in the Github action. | ||
#* Use the check "<code>github.event.pull_request.user.login == 'dependabot[bot]'</code>" instead of "<code>github.actor == 'dependabot[bot]'</code>" | #* Use the check "<code>github.event.pull_request.user.login == 'dependabot[bot]'</code>" instead of "<code>github.actor == 'dependabot[bot]'</code>" | ||
'''Additionally''', following a recent supply-chain attack involving the '''reviewdog/action-setup''' GitHub Action (March 2025), it is strongly recommended to: | |||
Always pin third-party GitHub Actions to specific, immutable commit SHAs rather than mutable tags (such as @v1 or @latest) to avoid executing malicious code introduced via compromised tags. | |||
Regularly audit workflow files and execution logs for suspicious or unexpected behavior, particularly encoded or obfuscated outputs that may indicate secret leakage. | |||
Immediately rotate any credentials (such as Personal Access Tokens, API keys, or other secrets) if you suspect exposure. | |||
Promptly update any third-party actions to their latest patched versions, and verify their integrity before use. | |||