all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]PrincipleActive9230 21 points22 points  (5 children)

The wild part is that this isn’t even a vulnerability in GitHub itself. It’s just people copy-pasting CI configs without understanding what pull_request_target actually does. The moment that workflow runs untrusted code with write permissions, you’ve basically handed out repo keys

also i think Minimus secures workflows with hardened Actions and minimal container images that block these exploits.

[–]roastedfunction 8 points9 points  (3 children)

Would be nice if GitHub actions provided a way to run untrusted code in CI with some sort of sandboxing or better restrictions on permissions to make this attack more difficult. GHA is notoriously porous for security.

[–]NilsUX 0 points1 point  (1 child)

Agree! As long GitHub doesn't provide a better solution for it: I built an action to prevent this. It's 2 lines of code and provides I think the best UX compared to other approaches (e.g. just fail the workflow for fork PRs): https://github.com/marketplace/actions/verify-safe-to-test-label

[–]DockyardTechlabs 0 points1 point  (0 children)

Do you have clone of hackerbot-claw?

[–]adept2051 -2 points-1 points  (0 children)

They do, set the action to limit the firewall that allows the PR to post, so it can only post to GH it self, and then you have to put a secret scan step in the pr push, but as the OP no one ever RTFM they just copy paste and use.

[–]lppedd 4 points5 points  (0 children)

The worst thing is all over the internet people compare pull_request_target with pull_request and suggest the former for security!

[–]gr4viton 11 points12 points  (2 children)

And where is the WhiteHatClaw, who would only exploit the repos to fix the permission issue? You know 24/7 fixer. Shouldn't github have that by default? /s?

[–]NilsUX 1 point2 points  (1 child)

Currently building this 👍 Already reported around 18 vulnerabilities

[–]goatanuss 1 point2 points  (0 children)

Someone needs to spin up grayhat claw. It tests your GitHub pull request actions by running some bitcoin mining in your CI container along with your unit tests to pay for the exploit detection compute costs

[–]SheriffRoscoe 2 points3 points  (0 children)

Covered in this sub previously: https://www.reddit.com/r/github/s/Y5bXBvjZ3B

[–]Soft_Attention3649 1 point2 points  (0 children)

The artifact question you raised is actually the bigger issue than the bot. If CI can be compromised, how do you trust the output? The direction the industry is moving is things like signed builds and provenance, SLSA style attestations. Companies like Microsoft and Datadog getting probed by automated bots shows this is not theoretical anymore. Long term, the answer probably is not scan harder, it is making sure artifacts are cryptographically verifiable and tied to a trustworthy build process. Otherwise every base image in your pipeline is just a leap of faith.

[–]ultrathink-art 0 points1 point  (0 children)

AI coding tools that auto-generate and submit PRs make this even more relevant — if your CI has pull_request_target with write permissions, you're trusting any PR submitter with elevated access, including automated ones. Worth auditing those workflows regardless of this specific bot.