(www.praetorian.com)

297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0.206s | source

Show context

nyrikki ◴[30 Mar 25 21:51 UTC] No.43528008[source]▶

No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #

declan_roberts ◴[30 Mar 25 22:21 UTC] No.43528290[source]▶

>>43528008 #

I think we all know this old story. The engineer building it was getting permission denied so they gave it all the permissions and never came back and right-sized.

replies(2): >>43528378 #>>43528414 #

1. azemetre ◴[30 Mar 25 22:30 UTC] No.43528378[source]▶

>>43528290 #

What's the over/under that said engineer could solve two medium leetcodes in under and hour?

↑

Public secrets exposure leads to supply chain attack on GitHub CodeQL