GitHub Actions Goat: Vulnerable by Design GitHub Actions Workflows

GitHub Actions Goat by StepSecurity is an educational project that simulates common security mistakes that can occur in GitHub Actions workflows.

The importance of Continuous Integration/Continuous Deployment (CI/CD) security has recently been underlined by guidance from the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA). As per their document Defending Continuous Integration/Continuous Delivery (CI/CD) Environments:

CI/CD environments have become attractive targets for malicious cyber actors (MCAs) aiming to introduce malicious code, steal intellectual property, or cause denial of service attacks against applications.

The increasing number of supply chain attacks on CI/CD environments, such as the infamous SolarWinds, Codecov, and ua-parser-js attacks, paints a vivid picture of this growing threat.

GitHub Actions Goat incorporates best practices from GitHub's Security Hardening for GitHub Actions guide and the CISA/ NSA guidance on CI/CD Security to showcase how these vulnerabilities can be avoided in real-world GitHub Actions workflows.

Getting Started

To get started:

1. Create a fork of the repo.

2. Go to the Actions tab in the fork. Click the I understand my workflows, go ahead and enable them button.

   

3. Click on a link in the Solution column below and follow the tutorials.

Understanding Vulnerabilities and Solutions with GitHub Actions Goat

This project not only demonstrates vulnerabilities but also presents solutions and references to best practices for each issue. In each scenario, we demonstrate how a particular threat can be mitigated.

No.	Vulnerability	Solution	References
1.	Poisoned Workflows Exfiltrating CI/CD Secrets	GitHub Actions Runtime Security - Filter Network Traffic	1. Implement network segmentation and traffic filtering 2. Implement endpoint detection and response (EDR) tools
2.	Poisoned Workflows Tampering with Source Code or Artifacts during Build	GitHub Actions Runtime Security - Detect File Tampering	Implement endpoint detection and response (EDR) tools
3.	Lack of Detailed Audit Logs for CI/CD Activities	Trace deployments to CI/CD pipeline and commit	"Keep audit logs" section in CISA/NSA guide
4.	Overprivileged GITHUB_TOKEN Permissions	Update workflows to use least privileged GITHUB_TOKEN permissions	"Use credentials that are minimally scoped" in GitHub's Security Guide
5.	Use of Long-Term CI/CD Credentials	1. Audit and rotate registered secrets 2. Use OpenID Connect (OIDC) in GitHub Actions workflows	1. "Audit and rotate secrets" in GitHub's Security Guide 2. "Using OpenID Connect to access cloud resources" in GitHub's Security Guide 3. "Minimize the use of long-term credentials" in CISA/NSA document
6.	Use of Untrusted 3rd Party GitHub Actions	1. Review GitHub Actions used across your Organization 2. Pin actions to a full length commit SHA	1. "Using 3rd party Actions" in GitHub's Security Guide 2. "Restrict untrusted libraries and tools" section in CISA/NSA document
7.	Outdated GitHub Actions with Known Vulnerabilities	Configure Dependabot to keep Actions up to date	1. Using Dependabot version updates to keep Actions up to date from GitHub's Security Guide 2. Keep CI/CD tools up-to-date section in CISA/NSA document
8.	Absence of Security Scanning within the CI/CD Pipeline	Integrate security scanning as part of the CI/CD pipeline	"Integrate security scanning as part of the CI/CD pipeline" section of the CISA/NSA guide
9.	Secrets Stored as Plaintext in Workflow Files	Scan for Secrets in Workflow Files	1. "Using Secrets" section in GitHub's Security Guide 2. "Secure secrets" section in CISA/NSA document
10.	Secrets Logged in the Build Logs	Scan for Secrets in Build Logs	1. "Using Secrets" section in GitHub's Security Guide 2. "Secure secrets" section in CISA/NSA document