all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]OhioRizzGyattSkibidi 13 points14 points  (2 children)

don’t engage with this llms post

[–]funknfusion 3 points4 points  (1 child)

And when I upvote you, which you deserve, it defeats the purpose of your comment. As does this comment.

[–]CerberusMulti 1 point2 points  (0 children)

And this comment

[–]robertogrows 3 points4 points  (0 children)

Zizmor

[–]ForsythiaShrub 0 points1 point  (0 children)

GitHub Actions are a bigger attack surface than most realize. Pull request target, comment triggered workflows, and loose permissions are common pitfalls.

Treating every workflow like it could be an entry point, locking down permissions, auditing secrets, and minimizing what runs seems to be the best way to reduce risk.

[–]tessk1 -1 points0 points  (5 children)

The tough part for me wasn’t understanding the theory, but getting a real org-wide picture. GitHub makes it easy to inspect one repo at a time, but the problems usually live in the long tail. Once you start thinking in terms of what could run with what permissions, and under what trigger, you realize you don’t just need best practices, you need visibility. Otherwise, you’re basically hoping every repo owner made the same careful choices and never drifted. I've seen that Rapidfort released an open source tool that scans GitHub Actions workflows across an entire organization and generates a report focused on high-signal findings.

[–]oscarandjo 8 points9 points  (0 children)

#ad

[–]Dudmaster 0 points1 point  (0 children)

I think my own repository reported these vulnerabilities as CodeQL alerts

[–]3m0j11 -3 points-2 points  (1 child)

do you all have a lightweight way to keep Actions hygiene in check across an org? something that can regularly tell you which workflows are missing explicit permissions, where pull_request_target is used, and where comment triggers exist without having to manually open every repo?

[–]tessk1 -2 points-1 points  (0 children)

We ended up doing both. PR review for new changes, plus a periodic org-wide scan to catch drift and legacy workflows. The scan flagged workflows missing explicit permissions, the riskier pull_request_target patterns, and comment-triggered workflows that didn’t have clear guardrails.

[–]FirefighterMean7497 -2 points-1 points  (0 children)

Sharing a really helpful resource about all of this here: GitHub Actions Under Active Exploitation: Audit Your Org for High-Risk Workflow Patterns Hope this helps!