/github-actions-goat

GitHub Actions Goat: Deliberately Vulnerable GitHub Actions CI/CD Environment

Primary LanguageJavaScriptApache License 2.0Apache-2.0

GitHub Actions Goat: Deliberately Vulnerable GitHub Actions CI/CD Environment

Maintained by stepsecurity.io License: Apache 2.0

GitHub Actions Goat by StepSecurity is an educational project that simulates common security attacks and vulnerabilities in a GitHub Actions CI/CD environment and shows how to defend against such attacks.

The importance of CI/CD Security has been underlined by guidance from the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA). As per their document Defending Continuous Integration/Continuous Delivery (CI/CD) Environments:

CI/CD environments have become attractive targets for malicious cyber actors (MCAs) aiming to introduce malicious code, steal intellectual property, or cause denial of service attacks against applications.

The increasing number of attacks on CI/CD environments, such as the infamous SolarWinds, Codecov, and ua-parser-js attacks, paints a vivid picture of this growing threat.

GitHub Actions Goat incorporates best practices from the CISA/ NSA guidance on CI/CD Security and the GitHub's Security Hardening for GitHub Actions guide to showcase how these threats can be mitigated in GitHub Actions Hosted-Runners and self-hosted Actions Runner Controller (ARC) environments.

Puzzle Time

Lets kick things off with a challenge designed to get your analytical gears turning. Take a close look at the publish.yml GitHub Actions workflow. This simple workflow builds and pushes a Docker image, and uses the Harden-Runner GitHub Action, which provides Security Observability and Runtime Enforcement for GitHub Actions workflows. Now, we present you with the puzzle. Check out these network events monitored during a workflow run of this workflow. Notice anything odd? Why is there an outbound call to stepsecurity.io during the workflow run? Is this expected, or something more nefarious?

Enable Actions

Threat Scenarios

The CISA/ NSA guidance on CI/CD Security covers 3 main threat scenarios.

Enable Actions

1. Attacker acquires a developer's credential to access a Git repository

In a GitHub Actions CI/CD environment, someone with write access to a repository can create a new GitHub Actions workflow in a new branch. This workflow which will run in a new branch, which does not have branch protection rules and has not been reviewed by any other developer, can:

  • Make use of the GITHUB_TOKEN to get write access to the repository contents or to the GitHub Container Registry (GHCR).
  • Access the GitHub Actions secrets in the repository and potentially exfiltrate them.
  • Depending on how the OpenID Connect (OIDC) policies are setup to grant access to GitHub Actions workflows, this workflow can also get access to cloud accounts.

Real-world incidents: For examples of real-world incidents in which credentials have been exfiltrated from CI/CD pipelines, refer to Exfiltration of secrets from the CI/ CD pipeline

2. Supply chain compromise of an application library, tool, or container image in a CI/CD pipeline that leads to a poisoned DevSecOps environment

Unlike in the first scenario, where an attacker creates a new GitHub Actions workflow, in this scenario an existing GitHub Actions workflows is poisoined by compromise of a tool or library that is already being used in the workflow.

Similar to the above threats, if the GitHub Actions worklow is poisoined, an attacker can exfiltrate credentials.

In addition, if this is a deployment workflow, an attacker can also modify source code or build artifact during the build process. This is typically done by overwriting files on the file system during the build process. As a result, while no credentials are exfiltrated, the resulting artifact has been tampered with. This is a stealthy attack method as there is no log of these changes.

Real-world incidents: For examples of real-world incidents in which files have been tampered during the build and release process in CI/CD pipelines, refer to Tampering of source code or artifacts during build

3. Supply chain compromise of a CI/CD environment that injects code into the code repository

GitHub Actions workflows can be used to approve pull requests and merge code into protected branches. As an example, lot of projects use these capabilities to auto-approve and merge Dependabot pull requests.

If a workflow is compromised it can potentially be used to push changes to the repository to modify existing source code.

Real-world incidents: For examples of real-world incidents in which GITHUB_TOKEN was compromised, refer to Compromise of the GITHUB_TOKEN

Getting Started

To get started:

  1. Create a fork of this repository.

  2. Go to the Actions tab in the fork. Click the I understand my workflows, go ahead and enable them button.

    Enable Actions
  3. Click on a link in the Countermeasure column below and follow the tutorials.

Vulnerabilities and Countermeasures

GitHub Actions Goat not only demonstrates vulnerabilities but also presents solutions and references to best practices for each issue. In each scenario, we demonstrate how a particular threat can be mitigated.

No. Vulnerability Countermeasure References
1. Lack of Network Traffic Filtering can lead to Exfiltration of CI/CD Credentials GitHub Actions Runtime Security - Filter Network Traffic "Implement network segmentation and traffic filtering" in CISA/NSA guide
2. Lack of CI/CD Runtime Security can lead to Tampering of Source Code or Artifacts during Build GitHub Actions Runtime Security - Detect File Tampering "Implement endpoint detection and response (EDR) tools" in CISA/NSA guide
3. Lack of Detailed Audit Logs for CI/CD Activities Trace deployments to CI/CD pipeline and commit "Keep audit logs" section in CISA/NSA guide
4. Overprivileged GITHUB_TOKEN Permissions can lead to tampering of repository contents or container images Update workflows to use least privileged GITHUB_TOKEN permissions "Use credentials that are minimally scoped" in GitHub's Security Guide
5. Use of Long-Term CI/CD Credentials 1. Audit and rotate registered secrets
2. Use OpenID Connect (OIDC) in GitHub Actions workflows
1. "Audit and rotate secrets" in GitHub's Security Guide
2. "Using OpenID Connect to access cloud resources" in GitHub's Security Guide
3. "Minimize the use of long-term credentials" in CISA/NSA document
6. Use of Untrusted 3rd Party GitHub Actions 1. Review GitHub Actions used across your Organization
2. Pin actions to a full length commit SHA
1. "Using 3rd party Actions" in GitHub's Security Guide
2. "Restrict untrusted libraries and tools" section in CISA/NSA document
7. Outdated GitHub Actions with Known Vulnerabilities Configure Dependabot to keep Actions up to date 1. "Using Dependabot version updates to keep Actions up to date" from GitHub's Security Guide
2. "Keep CI/CD tools up-to-date" in CISA/NSA document
8. Absence of Security Scanning within the CI/CD Pipeline Integrate security scanning as part of the CI/CD pipeline "Integrate security scanning as part of the CI/CD pipeline" section of the CISA/NSA guide
9. Secrets Stored as Plaintext in Workflow Files Scan for Secrets in Workflow Files 1. "Using Secrets" section in GitHub's Security Guide
2. "Secure secrets" section in CISA/NSA document
10. Secrets Logged in the Build Logs Scan for Secrets in Build Logs 1. "Using Secrets" section in GitHub's Security Guide
2. "Secure secrets" section in CISA/NSA document