Exploring Vulnerabilities in GitHub Reusable Workflows: Richard’s Expert Advice on OIDC Attacks

Published: 01 January 1970
on channel: CI and CD on Amazon Web Services (AWS)

166

CICD Security: Unveiling Vulnerabilities in GitHub Reusable Workflows
In this episode, Johannes and Richard dive deep into CICD pipeline security, focusing on GitHub reusable workflows and keyless signing using SIGstore.
Richard explains the intricacies of signing processes and the importance of linking source code to software in a secure environment. They discuss a key vulnerability found in GitHub workflows that can be exploited if not properly secured.
Richard showcases examples from repositories like ArgoCD and Bank Vaults, detailing how these issues can be mitigated with better access control measures. Tune in to learn about securing your CICD pipelines and ensuring trust in your software's identity.
As an AWS Security Hero Richard is an expert in security related topics and he showcases a vulnerability in reusable Github Workflows that you should know about.

Reach out to Richard:
/ richardfan1126

Links:
Blog post https://blog.richardfan.xyz/2024/08/0...
Sigstore https://www.sigstore.dev/
https://search.sigstore.dev/

00:00 Introduction to CICD and Episode Overview
00:21 Guest Introduction and Background
03:38 Discussion on Supply Chain Security
07:44 Deep Dive into Code Signing
11:48 Exploring Keyless Signing and SIGstore
13:00 Simulating an Attack on Reusable Workflows
25:53 Mitigation Strategies and Fixes
36:49 Final Thoughts and Security Best Practices

Watch video Exploring Vulnerabilities in GitHub Reusable Workflows: Richard’s Expert Advice on OIDC Attacks online without registration, duration hours minute second in high quality. This video was added by user CI and CD on Amazon Web Services (AWS) 01 January 1970, don't forget to share it with your friends and acquaintances, it has been viewed on our site 16 once and liked it people.

3,32