How to Harden GitHub Actions: The Unofficial Guide

Over the past three years , researchers have highlighted the risks associated with GitHub Actions. These threats became manifest with two recent incidents. First, last December brought a supply chain attack where attackers exploited a vulnerable GitHub Actions workflow to introduce an XMRig cryptominer to deployment versions of the Ultralytics Python package. Then, in March, we had the “tj-actions" incident. The attacker in this incident took advantage of multiple common anti-patterns associated with GitHub Actions and clearly leveraged the existing research literature to inform their tactics. An in-depth analysis of that incident is available in our blog posts: As a short recap: A vulnerability in spotbugs/sonar-findbugs allowed an attacker to compromise the Personal Access Token (PAT) of a Spotbugs contributor That compromised PAT was used to grant a temporary, malicious user spotbugs/spotbugs repository access The write access to spotbugs/spotbugs was used to push a malicious w ... Read full article.