• CramHacks
  • Posts
  • [CramHacks] Newsletter #18: Taking Over GitHub Runner Images for Total Domination

[CramHacks] Newsletter #18: Taking Over GitHub Runner Images for Total Domination

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

🥳 Happy Monday! 🥳

Software Supply Chain Security

Adnan Khan breaks down the risk of using self-hosted runners on public repositories and how GitHub failed to listen to its advice, leaving the actions/runner-images repository vulnerable. Adnan was rewarded a $20,000 bounty for his discovery.

👋 In the wrong hands, this could have easily compromised GitHub’s runner base images. Potentially compromising configured secrets for everyone using a hosted runner or worse. The impact of that, if gone undetected, would be insane. If abused, this could’ve been the worst software supply chain incident ever 🤯.

👋 Yes, you should have an open-source security policy or something baked into your organization’s software development lifecycle policy. Even without tooling, you’ll want to have an enforceable policy to hold developers accountable if they, for example, abuse open-source licenses.

Griffin Choe, Figma Software Engineer, details how the Figma security engineering team leveraged commit signatures and Okta Device Trust certificates to protect GitHub release branches.

In December 2023, StackLok introduced Frizbee, a command line utility that makes it easier to secure GitHub Actions. To automate GitHub Actions pinning across repos, Frizbee has been integrated into Minder, an open-source platform that helps you apply and enforce security policies across GitHub repos.

A tool to add in-toto attestations, a specification for generating verifiable claims about any aspect of how a piece of software is produced, to SBOMs (Software Bills of Materials). The SBOMit specification provides verifiable information that can be validated to assert the legitimacy of a provided SBOM.

👋 I can see why this might be desirable, especially for major defense contractors. Still, considering the current state of SBOMs and their inaccuracies when there’s no malicious intent, I’d put this very low on my priority list.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle