An attack vector sysdig studies the workflow of github actions, triggering pull_request_target event. According to Sysdig, the attack vector reveals secrets and secret github tokens and writes permissions in the repository. Moreover, since the operation is performed in the base repository, rather than triggering the fork that pulls the request, if there is no guarantee, the complete repository can be taken over.
“When we analyzed the results, we were surprised by the number of vulnerable pull_request_target The researchers wrote that we found the workflow. You might think they are limited to obscure or inactive repositories, but that’s not the case. We have discovered several high-profile projects, with tens of thousands of stars still using unsafe configurations. ”
github action attack becomes real
GITHUB operation is a CI/CD (Continuous Integration and Continuous Delivery) service that enables developers to automate software builds and tests by setting workflows triggered when specified events, such as when new code is committed to a repository. The workflow is called an operation, and is packaged in .yml Files executed in virtual containers that are usually executed on GitHub’s infrastructure and return compiled binary files, test results, logs, etc.
