Hacker News new | ask | show | jobs
by _alxk 1733 days ago
Shameless plug for something I've been working on: https://github.com/ovotech/gitoops/

I wrote GitOops to map attack paths through GitHub and CI/CD systems, at scale.

As an ex-pentester, for most companies I got to work with, all you need to do is open a PR against the right repositories to take over sensitive production environments. I suspect for most companies, an attacker compromising a single employee/intern with GitHub/Lab access is enough to lead to a disaster scenario.
1 comments
DelightOne 1733 days ago
How can they be avoided without stopping the use of CI/CD? I assume it is the same with GitLab?
link
wdella 1733 days ago
> How can they be avoided without stopping the use of CI/CD?

Use separate systems for CI and CD, and don't put sensitive "keys to the kingdom" credentials in CI. For example:

Put CI in GitHub Actions or GitLab CI without any credentials to write artifacts or knowledge of stage/prod deployments. Let the "interns" in the threat model use this.

Put production CD/release in Jenkins or a similar self hosted, not publicly accessible system. Limit the folks who can trigger jobs in this system to a small group of trusted employees, and don't trigger runs on actions that don't require U2F auth (e.g. require a manual click through the webui protected by SSO, or only deploy from specific branches protected to only allow approved PRs -- no git client pushes).

> I assume it is the same with GitLab?

Yes. While GitLab does offer some secret and variable masking controls, the Travis disclosure earlier this week where all secrets were exposed to Pull Request CI shows you probably don't want to bet your business on those controls. (Acknowledging GitLab != Travis)

See https://travis-ci.community/t/security-bulletin/12081

link
Normal_gaussian 1733 days ago
Use protected branches (only inject prod secrets on master, which can't be pushed to) and have test secrets for other branches. Now your weak spot is only anyone who can hit merge on a PR to master, which is easy to control.
link
felixhuttmann 1733 days ago
On gitlab, there has been another way for some time: There is a JWT token CI_JOB_JWT available in an env var which contains the branch name and other info as one of the claims [1]. One can then use this token to obtain production secrets based on whether the branch is trusted.

Github has the same feature upcoming [2], which allows to get also directly AWS or GCP credentials restricted by branch name [3, 4].

[1] https://docs.gitlab.com/ee/ci/examples/authenticating-with-h... [2] https://github.com/github/roadmap/issues/249 [3] https://awsteele.com/blog/2021/09/15/aws-federation-comes-to... [4] https://github.com/sethvargo/oidc-auth-google-cloud

link
Normal_gaussian 1733 days ago
That is awesome, thank you for telling me!
link