GenAI Consulting’s Post

For this third article in our series on exploiting #GitHub Actions, ☀️ Hugo Vincent explains 3 common configuration errors that can be encountered on public GitHub repositories using GitHub Actions. Each technique is illustrated by a real-life example we found on popular repositories such as Azure, Firebase, Swagger and Alibaba. If exploited by a malicious actor, they could lead to leaks of sensitive secrets or even arbitrary code push in some cases. The good news is you can detect them with octoscan (https://lnkd.in/gD-KqHmy), our static vulnerability scanner for GitHub Actions. https://lnkd.in/g8DejgcY

A mishandled GitHub token granted unrestricted access to Mercedes-Benz AG's internal GitHub Enterprise Service, exposing sensitive source code to the public. Discovered on September 29, 2023, by RedHunt Labs, the incident revealed critical internal information, including database connection strings, cloud access keys, blueprints, design documents, SSO passwords, and API keys. The exposure of such data can have severe consequences, as outlined by the researchers. Read more below and here 👉: https://lnkd.in/dwep68JM #github #mercedesbenz #databreach #automotive

ArtiPACKED: GITHUB_TOKENs leaked in GitHub Actions Artifacts. Researchers uncovered a critical vulnerability in GitHub Actions that could allow attackers to compromise high-profile open source projects and potentially access cloud environments. The issue involves workflow artifacts inadvertently leaking sensitive tokens and credentials. The vulnerability stems from a race condition where attackers can download artifacts and extract tokens before expiration, potentially enabling unauthorized code pushes. Many popular open source projects from major tech companies were affected, including widely-used tools impacting millions of users. As a proof-of-concept, researchers created unauthorized branches in several major repositories. I've encountered this behavior accidentally before; there's definitely potential to leverage this for nefarious things. Pay extra attention to any GitHub Actions workflows that involve cloning repos and use "persist-credentials: true" https://lnkd.in/g_Nvrv8q

Just finished the course “GitHub Administration Cert Prep: 6 Manage Actions” by Noah Gift! Check it out: https://lnkd.in/eqkEffG8 #systemadministration #github.

We just launched Ubicloud hosted Arm runners for GitHub Actions. These runners bring a 100x price/performance benefit over GitHub's default runners when you’re building & testing for arm64. https://lnkd.in/epk9-ac9 We put together a blog post that shows these numbers; and also talks about other topics such as ease of use and security on GitHub runners. My favorite part of the blog post is what our customers are saying. As Wilkins Chung, the CEO of Manifold puts it, "ARM based builds have always been a pain on GitHub. The need to use workaround images and the additional time it took to run these images kept hurting. Ubicloud's ARM runners solved these issues with a one-line change and we're way more productive because of it!” #github #githubactions #arm #ubicloud

The speedup of not having to emulate makes it a satisfying and practical device to have contributed to. I also expect it to have great economy on portable, parallelized workloads: two arm64 vcpus = two cores, two x64 vcpus is almost always only one core because of SMT.

📣 Let’s start this summer week by spending ~7 minutes for the common good! No matter how boring they might seem, surveys _are_ essential! Recently, Cloud Native Computing Foundation (CNCF) and The Linux Foundation Research have launched the “Kubernetes Turns 10” survey to understand the impact of #Kubernetes. To participate, you’ll need to share your views on Kubernetes, its evolution, and its visible impact. You will not only contribute to creating a helpful report about Kubernetes but will also get a 30% discount on any LF e-learning training course or certification exam 👍 Find it here and share it with your colleagues: https://lnkd.in/gv774gEj

We now have a 100x price-performance gain vs default GitHub runners when using Ubicloud ‘s managed runners for Arm. The best part of it is, you can see it for your own in less than 5 minutes, with just a few lines of change in your GitHub Actions workflow file. 10x here comes in the form of cloud cost savings. The other 10x from performance gains using native Arm processors on Ubicloud. My cofounder Ozgun Erdogan’s blog post has all the details. We are excited to make the cloud less expensive and more friendly — let us know what you think.

GitHub’s new ✨ push rules let you restrict paths, file names, path lengths and file sizes 🐘 for your repos. What could you do with a global 🌐 .gitignore? This is a win 🏆 for security🛡️- you could make an org wide rule to block the names such as: *.env *secret*.y*ml passwords.txt 🫠 id_rsa id_ed25519 *.pem *.der *.key *.crt *.cer *.p7b *.p7s *.pfx *.p12 … and so on You might want to commit test keys and certs, so these are just examples, not a definitive list. Want to only allow some roles, teams or apps to push to .github/workflows to protect the integrity of your CI? You can do that. Don’t want documents mixed with code? Ban the file names: *.pptx *.xlsx *.docx … and so on Share your favourite banned file names! 👇 They’re not available for public repos. If you’ve got views on that or any other feedback then share those here: https://lnkd.in/e4afz6MJ How will you use push rules? #GitHub #BranchProtection #AppSec #DevSecOps #DevOps

Happy 10th Birthday, Kubernetes! Today, Kubernetes turns 10! It's been a decade filled of revolutionizing container orchestration in the cloud and helping organizations achieve greater agility & efficiency. Read more about Kubernetes' fascinating journey and its impact on the IT landscape & HBD K8s! https://hubs.ly/Q02zSPlg0 #Kubernetes #CloudComputing #DevOps #ITConsulting #k8s #containerization #linux