May 6, 2022

GHA Runners - Security In Action

An excellent write up, from Magno Logan, about the GitHub Actions (GHA), one of the commonly used CI tools today.

This article covers some security risks and best practices about using GHA as your primary CI tool.

About GitHub Actions (GHA)

GitHub Actions released in 2019. Working as CI tools, tt helps developers automate tasks within the software development life cycle (SDLC). One advantage of GHA is that developers do not need a separate CI tool but executes the workflow directly from GitHub. 

Actions are formed by a set of components. These are the six main components of a GHA:

  • Workflows: Automated procedure added to the repository, and is the actual Action itself
  • Events: An activity that triggers a workflow; these can be based on events such as push or pull requests, but they can also be scheduled using the crontab syntax
  • Jobs: A group of one or more steps that are executed inside a runner
  • Steps: These are tasks from a job that can be used to run commands
  • Actions: The standalone commands from the steps
  • Runners: A server that has the GHA runner application installed

 

The full article contains many more information including:

  1. GitHub Actions (GHA) and its components
  2. GitHub Action (GHA) runners
  3. Cryptomining with GitHub Actions
  4. Ubuntu Runner reconnaissance
  5. Scanning for vulnerabilities
  6. Setting up a reverse shell with Netcat and more
  7. The Mono Web Server XSP
  8. Scanning other runners
  9. Conclusions and recommendations
  10. Trend Micro solutions
GitHub Action Runners

Links: