OWASP Global AppSec Lisbon 2024

GitHub Actions are a part of every open source project either directly or indirectly. This is an often overlooked attack surface extension in the scope of Application Security which is beginning to attract those eager to compromise both open-source and commercial projects via off-the-radar upstream dependencies. 


To achieve control or write permissions on a repository, attackers draw from a range of established techniques like repo jacking, GitHub Actions command injection and more.


We know that dependencies have dependencies. It also happens that Actions have Actions which have Actions. The nest of dependencies within our CI/CD is complex and certainly mostly unobserved.  


In this talk, we'll introduce some of the common misconfigurations with GitHub pipelines and from there explore the breadth and depth of GitHub Actions dependencies alongside research into the top 1000 GitHub projects showing the potential upstream attack paths to major projects.