- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor
- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...
- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...
The only way to 'harden your github actions' is to not use github actions.
Makes sense tbh :)
Disabling vscode/cursor extensions auto-updates also makes sense
Thanks for making me aware of zizmor, just ran and fixed all issues on our core repos.
You are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :)
You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.
edited: not "will", may depending on your GHA
Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.
I think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...
Yes that's it.
https://github.com/orgs/community/discussions/27065
https://stackoverflow.com/questions/77090044/github-actions-...
https://www.praetorian.com/blog/pwn-request-hacking-microsof...
All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).
Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%
Yeah, zizmor checks for template injection.
Nice