[vldszn]

- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor

- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...

[keyle]

The only way to 'harden your github actions' is to not use github actions.

[abuani]

Maybe GitHub being popped for their own insecure by design platform, will cause them to reconsider growth at all costs. I know it's wishful thinking, but the amount of security incidents the past few years because of how actions was designed is wild. It would be great for them to finally recognize this and take ownership.

[vldszn]

fair point

[vldszn]

Makes sense tbh :)

[robbiet480]

Thanks for making me aware of zizmor, just ran and fixed all issues on our core repos.

[vldszn]

You are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :)

[bodash]

few more tips here: https://github.com/bodadotsh/npm-security-best-practices

[vldszn]

Disabling vscode/cursor extensions auto-updates also makes sense

[nottorp]

Can that even be done?

Even if there are knobs you can turn to disable auto updates, does that cover everything that decides to change your software behind your back?

[mrgoldenbrown]

On vscode you can control autoupdates. (Still trying to find a way to control zed's overeager updating)

[nottorp]

For vscode or for any extension as well?

Are there misbehaving extensions with their own mechanisms?

[vldszn]

UPD: disable auto-updates for extensions in VS Code/Cursor!

[benoau]

You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.

edited: not "will", may depending on your GHA

[vldszn]

Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%

[insanitybit]

Yeah, zizmor checks for template injection.

[vldszn]

Nice

[CGamesPlay]

Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.

[benoau]

https://github.com/orgs/community/discussions/27065

https://stackoverflow.com/questions/77090044/github-actions-...

https://www.praetorian.com/blog/pwn-request-hacking-microsof...

All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).

[theteapot]

I think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...

[benoau]

Yes that's it.