Prerequisites • Resources • Learning Objectives
In this workshop we will learn about the risk of script injection in GitHub Actions workflows, and how to mitigate that risk.
- Who is this for: developers, devops engineers
- What you'll learn: the risk of Script Injections in GitHub Actions workflows, and how to migirate that risk, how to use CodeQL to detect vulnerabilities in Workflows, write custom queries to customize detection of issues in Workflows.
- What you'll build: Workflows that are not vulnerable to script injection attacks, CodeQL workflows to detect vulnerabilties, and custom CodeQL queries.
In this workshop, you will:
- learn about script injection vulnerabilities in GitHub actions workflows
- learn how to mitigate script injection vulnerabilities in GitHub actions workflows
- learn how Github Advanced Security can help you build secure GitHub actions workfows
Before joining the workshop, there are a few items that you will need to install or bring with you.
- a GitHub account
- Visual Studio Code IDE installed on your laptop
The Check issue title workflow simply checks if the title of the workflow begins with octocat. If so, the workflow succeeds. If not, the workflow fails.
This workflow is vulnerable to script injection. Let's find out why.
Exercise 1
The Check issue comment workflow simply checks if the issue comment begins with octocat. If so, the workflow succeeds. If not, the workflow fails.
This workflow is vulnerable to script injection. Let's find out why.
Exercise 2
Let's see how we can mitigate script injection vulnerability in the run command.
Exercise 3
Let's see how we can mitigate script injection vulnerability in github-script action.
Exercise 4
Let's create an actions workflow to scan our workflow files using CodeQL.
Exercise 5
Now let's look at another way we can use CodeQL to secure our GitHub actions workflows.
Exercise 6