T0122 - Vulnerability in third-party CI/CD actions

M1120

Mitigation

Store credentials in vault

Sensitive data like credentials and API tokens should not be stored directly in code. Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser

M1220

Mitigation

Use only trusted third-party Github actions from reputable sources

Using only trusted third-party Github actions from reputable sources is an important security practice that reduces the risk of vulnerabilities in the CI/CD pipeline. Reputable sources include established Github action providers with a history of creating high-quality, secure actions. Organizations can verify the reputation of a third-party Github action by researching the provider, reviewing their Github action repositories, and checking for reported security issues.

M1221

Mitigation

Review the Github action source code

Reviewing the Github action code and checking if it has been audited or reviewed by security experts is an important security practice to reduce the risk of vulnerabilities in the CI/CD pipeline. By inspecting the code and checking if it has been audited, organizations can identify potential security issues and increase their confidence in the security of the Github action.

M1222

Mitigation

Limit the permissions granted to third-party Github actions

Limiting the permissions granted to third-party Github actions to only the necessary access required for the task is a security practice that can reduce the risk of vulnerabilities in the CI/CD pipeline. This involves evaluating the required permissions of each action and granting access on a least privilege basis, meaning that only the minimum level of access required for the intended task is granted. By limiting permissions, organizations can reduce the risk of unauthorized access or exposure of sensitive data, thereby improving the overall security of the CI/CD pipeline.

D1260

Detection

Implement regular security audit and review

Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage. This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.

D1261

Detection

Implement penetration testing

Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks. It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.

D1262

Detection

Implement vulnerability assesment

Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application. It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.

D1590

Detection

Implement continuous monitoring and logging of the CI/CD process

Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow. This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.