Rooted

Cybersecurity, done right.

View on GitHub

CI/CD Security: PPE

CI/CD environments are arguably among the most critical systems from a security perspective, as they run software builds and also contain tons of secrets, passwords, and tokens.
Nevertheless, the culture of hardening these environments is still dangerously inadequate.

Pipeline Poisoned Execution (PPE) is a security vulnerability in Continuous Integration/Continuous Deployment pipelines.
It occurs when an attacker injects malicious code or configurations into the pipeline, leading to the execution of unintended or harmful actions during the build, test, or deployment stages.
This can compromise the integrity and security of the software being developed and deployed. PPE exploits can lead to unauthorized access, data leaks, and manipulation of the software supply chain.

In the video below we demonstrate a live exfiltration of secrets, via remote code execution, from a GitHub Action vulnerable to PPE:


As a bonus point here is one of many examples of a query that we can input directly into GitHub Search to find potential sensitive information related to AWS accounts by inspecting the actionโ€™s logs:

"๐š๐ฐ๐ฌ ๐ฅ๐š๐ฆ๐›๐๐š" ๐€๐๐ƒ (๐ฉ๐š๐ญ๐ก:.๐ ๐ข๐ญ๐ก๐ฎ๐›/๐ฐ๐จ๐ซ๐ค๐Ÿ๐ฅ๐จ๐ฐ๐ฌ) ๐€๐๐ƒ ("๐ฉ๐ฎ๐›๐ฅ๐ข๐ฌ๐ก-๐ฏ๐ž๐ซ๐ฌ๐ข๐จ๐ง" ๐Ž๐‘ "๐ฎ๐ฉ๐๐š๐ญ๐ž-๐Ÿ๐ฎ๐ง๐œ๐ญ๐ข๐จ๐ง-๐œ๐จ๐ง๐Ÿ๐ข๐ ๐ฎ๐ซ๐š๐ญ๐ข๐จ๐ง" ๐Ž๐‘ "๐ฎ๐ฉ๐๐š๐ญ๐ž-๐Ÿ๐ฎ๐ง๐œ๐ญ๐ข๐จ๐ง-๐œ๐จ๐๐ž")