-
Notifications
You must be signed in to change notification settings - Fork 11
2022 02 23 sre chat
Tristram Oaten edited this page Feb 23, 2022
·
1 revision
-
James Sheppard JS
-
Daniel Burnley DBu
-
David Biddle DBi
-
Tris Oaten TO
-
Lee Porte LP
-
Stephen Grier SG
-
SG took us through a gh actions threat modelling session with pay.
- token auto approve prs - fixed centrally
- supply chain attack, can't lockdown where we pull code from
- should be pinning dependency versions to a sha
- third-party actions, pull in other people's workflow
- extra route to pull in code
- Actions have public build logs
- fine as long as things are configured correctly, which we cannot guarentee currently.
- don't manage gh as code in the way we manage our aws infra
- we should only use actions if we use infra-as-code
- Reccomend configure the repo as code with terraform, for changing settings etc
- GH actions do a good job at redacting secrets
- if you echo it, it redacts it
- if you commmit it, it disables the token
- mitigated by using openid-connect
- Air-gapping PRs from deployments
- Yaml config means syntax is bad, can set permissions in the wrong scope
- PRs are inherently untrustworthy
- make sure the perms in the workflow is tightly scoped
- use OIDC where possible for prod secrets
- short lived creds are good
- mitigates releasing in build logs
- Use "CodeOwners" to limit who can edit workflows
- mitigates devs editing workflows and running a PR
- Securing dev accounts - unrelated
- Make sure workflows can't run from PRs run on forks, they can grab secrets
- Don't let secrets get into
- Solutions
- remove public logs
- infra as code
- with correct rules
- Private repo?
Go back Home