Imposter commits vulnerability in GitHub Actions
Published Wed, Mar 8th, 2023
Platforms
Summary
A vulnerability in GitHub Actions allows bypassing workflow settings using commits from forked repositories (rather than commits of the main action repo). This "imposter commits" issue can potentially introduce untrusted code into CI/CD pipelines, posing a risk to the security of the software supply chain. The vulnerability stems from GitHub's handling of forked repositories and how commits are shared between forks and parent repositories. A partial solution to this was GitHub prohibiting partial commit references in workflows, however, no full solution exists currently.
Affected Services
GitHub Actions
Remediation
Remove action dependencies that Enable automated tools such as Dependabot to keep GitHub Actions up to date with known branches/tags.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/sshayb
Entry Status
Finalized
Disclosure Date
Thu, Sep 8th, 2022
Exploitability Period
Ongoing, partially mitigated
Known ITW Exploitation
-
Detection Methods
Audit CI configurations, particularly for sensitive workflows like deployments or artifact signing, to identify any vulnerability to fetching arbitrary imposter commits. Either manually (by auditing action commit hashes and verifying those are part of the main action repo), or by using the open-source tool clank (by Chainguard) to check for potential imposter commits in GitHub Action workflows.
Piercing Index Rating
-
Discovered by
Billy Lynch, Chainguard
