Hacking your CI/CD with Francois Proulx

The podcast discusses critical security vulnerabilities in CI/CD pipelines within open source projects, emphasizing the risks of hijacking and poisoning attacks. Notable incidents include the TJ Actions Compromise, where a GitHub action plugin led to widespread exploitation, and the Ultralytics Incident, where a zero-day vulnerability was exploited at scale. Supply chain attacks, often initiated through social engineering or pipeline vulnerabilities, highlight the cascading risks of compromising open source maintainers. Organizations face challenges such as CI/CD pipeline breaches, as seen in cases like Aqua Securitys Trivy, which prompted overhauls of infrastructure practices, including secure credential storage and external workflow isolation. Mitigation strategies include reducing GitHub Actions risks, improving transparency in breach reporting, and adopting hardened practices like limited privileges in CI/CD systems.

The conversation also explores the evolving threat landscape, with a focus on supply chain and dependency risks, such as worms in 2024, and the need for improved dependency cooldown periods and audits. Offensive security tools like "smoked meat" are introduced to analyze CI/CD pipelines and simulate exploitation, contrasting with earlier defensive tools like "poutine." These tools aim to help organizations test defenses by replicating attack scenarios, emphasizing the importance of secrets management and pivoting within environments. Practical advice includes using burner accounts for security testing to avoid GitHub detection and leveraging tools like "Hooli" for safe experimentation. The discussion underscores the historical neglect of CI/CD security, the rapid evolution of threats, and the necessity for proactive measures to bridge the gap between attackers and defenders.

Key takeaways include the persistent risks in open source ecosystems, the role of developers in implementing security practices, and the growing recognition of CI/CD vulnerabilities as a critical attack vector. Tools like "smoked meat" and "Bagel" demonstrate the shift toward proactive security testing, while threat modeling of YAML files and strict third-party input policies are recommended to mitigate risks. The podcast also highlights the importance of industry collaboration, responsible disclosure, and the ongoing race between vulnerability disclosure, exploitation, and remediation efforts. Overall, the content stresses the urgent need for organizations to prioritize CI/CD security, adopt offensive testing frameworks, and remain vigilant against evolving threats in open source supply chains.

• What if you tested your CI/CD pipelines for secrets using an offensive tool like Smoked Meat?

  • Move: Integrate Smoked Meat into your CI/CD workflow to scrape and analyze ephemeral runner memory for exposed secrets (e.g., API keys, credentials).
  • Why Now?: Recent vulnerabilities in GitHub Actions (e.g., TJ Actions Compromise) show that secrets exposure is a critical risk, and proactive testing reduces blind spots.
  • Expected Upside: Identify and fix hidden secrets before they can be exploited, improving your pipelines resilience to hijacking attacks.

• What if you moved all privileged workflows (e.g., package publishing) to isolated AWS Lambdas or external runners?

  • Move: Refactor high-privilege CI/CD jobs (e.g., dependency installation, secret validation) to run in isolated environments like AWS Lambdas or self-hosted runners.
  • Why Now?: Supply chain attacks (e.g., Ultralytics Incident) exploit compromised CI/CD workflows, and external runners reduce the attack surface within GitHub Actions.
  • Expected Upside: Limit exposure of sensitive credentials and reduce risk of lateral movement if a runner is compromised.

• What if you used burner GitHub accounts for threat modeling and penetration testing?

  • Move: Create and use inactive or burner GitHub accounts for testing CI/CD pipeline security (e.g., simulating secret exposure or unauthorized access).
  • Why Now?: GitHubs aggressive ban policies can block legitimate security testing, but burner accounts mimic real-world attack scenarios without triggering alerts.
  • Expected Upside: Validate your pipelines defenses against exploitation techniques (e.g., secret scraping) without risking your primary account or reputation.

• Isolate sensitive CI/CD workflows using external services (e.g., AWS Lambda) instead of GitHub Actions to reduce exposure to supply chain attacks and minimize privilege in pipeline execution.
• Implement strict secret management by avoiding hardcoded credentials in CI/CD pipelines and using secure storage solutions (e.g., vaults) to prevent secrets from being scraped or exfiltrated via tools like Smoked Meat.
• Conduct threat modeling on YAML pipeline configurations by treating them as microservices architectures, identifying risks like Remote Code Execution (RCE) and ensuring input validation for third-party contributions.
• Deploy offensive security tools like Smoked Meat to simulate and detect exploitation paths in CI/CD pipelines, ensuring proactive identification of vulnerabilities before attackers can exploit them.
• Enforce supply chain security practices by regularly auditing dependencies, enforcing cooldown periods for updates, and using tools like Trivy to monitor for known vulnerabilities in open source components.