![]() ![]() This is where the problem of imposter commits comes into play. This convenience has a trade off - when working with commit SHAs directly, how do you know if commit 2e2b0d5 or 74ba35f came from the primary repo or a fork? Has the commit been reviewed and checked into the primary repo's main branch? Could you tell if the commit was authored by a legitimate maintainer of the repo? ![]() When working with Git repositories on GitHub, users typically: Forks can act independently of the repository they originated from and can have their own permissions and histories. To understand how imposter commits work, we first need to understand how forking works in GitHub.Ī fork is a feature commonly found on many Git hosting platforms that allows users to copy a repository to their own user namespace in order to make changes. In this post we'll look at behavior that we coin "imposter commits" - an intentional (though perhaps unexpected) property of GitHub repositories, and how this led us to discovering a bug in GitHub Actions. These systems often contain privileged secrets for fetching your code, accessing production servers, and more. But these strategies are only as secure as the repositories they originate from, and understanding how they function is critical to operating a secure supply chain.Īs we've seen from Solarwinds and Codecov incidents, being able to sneak in untrusted code into a CI/CD platform can be devastating. They give developers an easy way to add, review, and monitor changes to automated systems that deploy software to production. Read on to learn more about how this works and what to watch out for!Ĭonfig-as-Code and GitOps workflows are popular ways to manage CI/CD pipelines. Tl dr - We found a vulnerability in GitHub Actions that bypasses allowed Workflow settings by using commits from forked repositories. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |