First: Git tags are not immutable.
When you write actions/trivy-action@v0.69.4 in your pipeline you are not pinning
to a fixed commit. The tag is just a pointer and whoever controls
the repo can silently move it to point to different code. Most teams
assume a version tag means a fixed version. It does not.
Second: Git does not verify who makes a commit.
Anyone can set their name to any Aqua Security developer they want. The malicious commit
looked like it came from a trusted author because Git has no identity
enforcement at all.
The practical fix for the first problem is pinning to a full commit
hash instead of a tag name. That hash cannot be moved.
Almost nobody does this by default which is why the attack worked
at scale. its very common supply chain failure pattern.
> The practical fix for the first problem is pinning to a full commit hash instead of a tag name
If the underlying project in turn uses named tags, i.e. if the hash pinning doesn't apply transitively, then the protection appears incomplete, doesn't it?
Correct. As an attacker you just move one level deeper.
If the target pins their direct actions to commit hashes you compromise
a dependency of the action instead. They pinned the top of the tree
but you own something in the middle of it.
SolarWinds was not attacked directly. The attackers compromised Orion,
a build tool SolarWinds depended on. SolarWinds had decent security
on their own code. It did not matter because the attack came through
a dependency they trusted and did not control.
The defender has to secure the entire chain. The attacker only has
to find one weak link anywhere in it. That asymmetry is why supply
chain attacks keep working.
Um ok, but the "setting the name to any string" is not the real problem, which is that an attacker had the ability to write to the repository at all, regardless of the name they choose, no?
As I mentioned below, another mitigation for this kind of supply chain attack is to fork the action repos into your own organization to allow tighter control over their content.
First: Git tags are not immutable. When you write actions/trivy-action@v0.69.4 in your pipeline you are not pinning to a fixed commit. The tag is just a pointer and whoever controls the repo can silently move it to point to different code. Most teams assume a version tag means a fixed version. It does not.
Second: Git does not verify who makes a commit. Anyone can set their name to any Aqua Security developer they want. The malicious commit looked like it came from a trusted author because Git has no identity enforcement at all.
The practical fix for the first problem is pinning to a full commit hash instead of a tag name. That hash cannot be moved.
Almost nobody does this by default which is why the attack worked at scale. its very common supply chain failure pattern.