From eb9265e65043eb9d722976bec5a0bcdef693f1d3 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 14 Jul 2024 11:17:25 +0300 Subject: [PATCH 1/4] Created GitHub Actions pipeline uploads GITHUB_TOKEN in artifact policy --- .../policy-reference/book.yml | 2 + .../gha-upload-token-artifact.adoc | 58 +++++++++++++++++++ .../github-cicd-pipeline-policies.adoc | 4 ++ 3 files changed, 64 insertions(+) create mode 100644 docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/gha-upload-token-artifact.adoc diff --git a/docs/en/enterprise-edition/policy-reference/book.yml b/docs/en/enterprise-edition/policy-reference/book.yml index 0b459a5704..dd22b64fc9 100644 --- a/docs/en/enterprise-edition/policy-reference/book.yml +++ b/docs/en/enterprise-edition/policy-reference/book.yml @@ -2653,6 +2653,8 @@ topics: topics: - name: GitHub CI/CD Risks Policies file: github-cicd-pipeline-policies.adoc + - name: GitHub Actions pipeline uploads GITHUB_TOKEN in artifact + file: gha-upload-token-artifact.adoc - name: GitHub Actions pipeline vulnerable to command injection file: ghaction-vuln-cmnd-inj.adoc - name: GitHub private repository made public diff --git a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/gha-upload-token-artifact.adoc b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/gha-upload-token-artifact.adoc new file mode 100644 index 0000000000..3c85e64cca --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/gha-upload-token-artifact.adoc @@ -0,0 +1,58 @@ +== GitHub Actions pipeline uploads GITHUB_TOKEN in artifact + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== + +|Prisma Cloud Policy ID +|25287f9d-807c-4cac-927c-2033fe7d8fb6 + +|Severity +|Critical +// add severity level + +|Category +|Credential Hygiene +// add category+link + +|Subtype +|Build +// add subtype-build/runtime + +|Frameworks +|GitHub + +|=== + +=== Description + +The pipeline uploads artifacts that may contain the local `.git` folder which crucially includes a GitHub Actions runner token (GITHUB_TOKEN). These artifacts are accessible to any user with read permission against the repository. In public repositories, they are also publicly available. + +The *actions/checkout* GitHub Action stores the GITHUB_TOKEN in the local `.git` folder by default. Uploading this folder exposes the token along with the artifact. + +The GitHub Actions job token is a short-lived token that allows actions to be performed against the repository while the workflow job is running. However, attackers might be able to download artifacts storing the token, extract it and use it before the job ends. This vulnerability arises from v4 of actions/checkout, where the artifact is available for download even before the workflow ends. Depending on the pipeline permissions, attackers could potentially use the token to push malicious code to the repository, publish packages, and steal secrets. + +=== Recommended Solution - Buildtime + +* Do not upload the `.git` folder in artifacts + +* Set the “persist-credentials” setting to `false` when using the actions/checkout GitHub action if credentials are not required in subsequent steps. This ensures that the GITHUB_TOKEN is not written to the runner’s filesystem in the local `.git` folder + +* Prevent future vulnerabilities by scanning artifacts for secrets before uploading them, as they are usually compiled in environments rich with sensitive information + +*To minimize the risk*: + +* Modify the default permissions granted to the GITHUB_TOKEN using the ‘permissions’ attribute in the workflow yaml file, allowing only the minimum permissions required to execute a pipeline. ++ +In addition, we recommend specifying permissions for each job in the pipeline. This minimizes the exposure of binaries and actions present in the pipeline to the repository. ++ +For more information refer to https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs[Assigning permissions to jobs] in the GitHub documentation. + +* Modify the pipeline's default permissions to ‘read repository contents’ at the highest possible level (organization or enterprise, where applicable). ++ +This reduces the potential attack surface for pipelines that lack explicit permission definitions. ++ +For more information refer to: +https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions[Configuring the default GITHUB_TOKEN permissions] in the GitHub documentation. diff --git a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/github-cicd-pipeline-policies.adoc b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/github-cicd-pipeline-policies.adoc index 08cfb1ace3..0ad8d926e2 100644 --- a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/github-cicd-pipeline-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/github-cicd-pipeline-policies/github-cicd-pipeline-policies.adoc @@ -6,6 +6,10 @@ |=== |Policy|Category|Severity +|xref:gha-upload-token-artifact.adoc[GitHub Actions pipeline uploads GITHUB_TOKEN in artifact] +|Credential Hygiene +|Critical + |xref:ghaction-vuln-cmnd-inj.adoc[GitHub Actions pipeline vulnerable to command injection] |Input Validation |Critical From 8782e61f621dddc43eb9ff9ff1900236df0ecaf9 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 14 Jul 2024 11:41:48 +0300 Subject: [PATCH 2/4] Added an index to CI/CD policies --- .../ci-cd-pipeline-policies.adoc | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc index 8a928e47e8..8a94f0e9ea 100644 --- a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc @@ -1 +1,17 @@ -== CI/CD Risks Policies \ No newline at end of file +== CI/CD Risks Policies + +This section includes: + +* xref:azure-repo-cicd-pipeline-policies/azure-repo-cicd-pipeline-policies.adoc[Azure Repos CI/CD Risks Policies] + +* xref:bitbucket-cicd-pipeline-policies/bitbucket-cicd-pipeline-policies.adoc[Bitbucket CI/CD Risks Policies] + +* xref:circleci-cicd-pipeline-policies/circleci-cicd-pipeline-policies.adoc[CircleCI CI/CD Risks Policies] + +* xref:cross-platform-cicd-pipeline-policies/cross-platform-cicd-pipeline-policies.adoc[Cross Platform CI/CD Risks Policies] + +* xref:github-cicd-pipeline-policies.adoc[GitHub CI/CD Risks Policies] + +* xref:gitlab-cicd-pipeline-policies.adoc[GitLab CI/CD Risks Policies] + +* xref:docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/jenkins-cicd-pipeline-policies/jenkins-cicd-pipeline-policies.adoc[Jenkins CI/CD Risks Policies] From 4ce6554ec6f9f8cc78617214272b583929cf90e7 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 14 Jul 2024 11:51:40 +0300 Subject: [PATCH 3/4] fix links in index to gh, gl and jenkins --- .../ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc index 8a94f0e9ea..73d9caf9fe 100644 --- a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc @@ -10,8 +10,8 @@ This section includes: * xref:cross-platform-cicd-pipeline-policies/cross-platform-cicd-pipeline-policies.adoc[Cross Platform CI/CD Risks Policies] -* xref:github-cicd-pipeline-policies.adoc[GitHub CI/CD Risks Policies] +* xref:github-cicd-pipeline-policies.adoc[GitHub CI/CD Risks Policies] * xref:gitlab-cicd-pipeline-policies.adoc[GitLab CI/CD Risks Policies] -* xref:docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/jenkins-cicd-pipeline-policies/jenkins-cicd-pipeline-policies.adoc[Jenkins CI/CD Risks Policies] +* xref:jenkins-cicd-pipeline-policies.adoc[Jenkins CI/CD Risks Policies] From 8dd09b93585667a205f67748909de1ba7f0dd51b Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 14 Jul 2024 12:13:41 +0300 Subject: [PATCH 4/4] fix2 links in index to gh, gl and jenkins --- .../ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc index 73d9caf9fe..0ea541b07e 100644 --- a/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/ci-cd-pipeline-policies/ci-cd-pipeline-policies.adoc @@ -10,8 +10,8 @@ This section includes: * xref:cross-platform-cicd-pipeline-policies/cross-platform-cicd-pipeline-policies.adoc[Cross Platform CI/CD Risks Policies] -* xref:github-cicd-pipeline-policies.adoc[GitHub CI/CD Risks Policies] +* xref:github-cicd-pipeline-policies/github-cicd-pipeline-policies.adoc[GitHub CI/CD Risks Policies] -* xref:gitlab-cicd-pipeline-policies.adoc[GitLab CI/CD Risks Policies] +* xref:gitlab-cicd-pipeline-policies/gitlab-cicd-pipeline-policies.adoc[GitLab CI/CD Risks Policies] -* xref:jenkins-cicd-pipeline-policies.adoc[Jenkins CI/CD Risks Policies] +* xref:jenkins-cicd-pipeline-policies/jenkins-cicd-pipeline-policies.adoc[Jenkins CI/CD Risks Policies]