![]() Message stating that the GHA is disabled for malicious repositories mining cryptocurrencies Users can see that the GHA is disabled by going to the Actions tab on the repository here's the message shown:įigure 4. GHA code for running a Monero cryptocurrency miner inside the Windows runnerįor most of these repositories, GitHub has flagged them and disabled the GHA feature, which blocks them from doing that again in this repository. GHA code for running a Monero cryptocurrency miner inside the Ubuntu runnerįigure 3. ![]() They use GitHub's provided runners to do that for free (just look at the runs-on tag). That would be fine if they used their servers for the mining process, but that's not the case. github/workflows in a YAML format, running cryptominers. Since then, GitHub has placed some security measures to prevent this from happening, which will be discussed further.Ī quick search on GitHub will show hundreds of repositories with GHA files, anything inside. This involved forking a repository with a GHA enabled and then submitting a pull request to trigger the action. An example of GitHub Actions componentsĮarly in 2021, there have been some reports of threat actors and malicious users abusing this service to trick vulnerable repositories and users into deploying coinminers and mining cryptocurrency for them. Runners: A server that has the GHA runner application installedįigure 1.Actions: The standalone commands from the steps.Steps: These are tasks from a job that can be used to run commands.Jobs: A group of one or more steps that are executed inside a runner.Events: An activity that triggers a workflow these can be based on events such as push or pull requests, but they can also be scheduled using the crontab syntax.Workflows: Automated procedure added to the repository, and is the actual Action itself.These are the six main components of a GHA: This article covers some security risks and best practices about using GHA as your primary CI tool.Īctions are formed by a set of components. One advantage of GHA is that developers do not need a separate CI tool since GHA runs directly from GitHub, where the project code is generally located. Workflows are event-driven, meaning that after a specified event has occurred, the developer can trigger one or more commands to run on their repository. According to GitHub, the feature helps developers automate tasks within the software development life cycle. In 2019, GitHub released its own CI tool called GitHub Actions. As more developers link their GitHub projects and codes’ repositories to GHA for the ease of setup and the amount of customization it offers for workflows’ cycles, we also make security recommendations to ensure projects’ safety from unauthorized usage and misconfiguration in the long run. We look into the one of the commonly used CI tools today, GitHub Actions (GHA): its infrastructure and security posture, and the possible threats and risks cybercriminals can take advantage of inside the tool. These CI tools, which include Jenkins, CircleCI, TravisCI, GitLab CI/CD, Azure DevOps, and AWS CodePipeline, are well-known in the development community. It executes a series of tests to make sure everything is okay. These tools - cloud- and server-based - ensure that the new changes don't break the code and the application continues to work correctly after the changes are applied. One of the main tools used in this process is a continuous integration (CI) tool, which automates the integration of code changes from multiple developers working on the same project. More organizations are applying a DevOps thought-process and methodology to optimize software development.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |