Public secrets exposure leads to supply chain attack on GitHub CodeQL

1. Sytten ◴[31 Mar 25 07:08 UTC] No.43532057[source]▶

An again this would not be so bad an impact if github finally pushed their immutable actions [1]. I sound like a broken record since I keep repeating that this would solve like 70%+ of the scope of attacks on gha today. You would think that the weekly disaster they have would finally make them launch it.

[1] https://github.com/features/preview/immutable-actions

replies(1): >>43532082 #

2. thund ◴[31 Mar 25 07:13 UTC] No.43532082[source]▶

>>43532057 (TP) #

They probably have good reasons if it's still in preview, that could be serious bugs, security gaps, potential breaking changes that would cause more harm than good if rushed, etc

replies(2): >>43532304 #>>43533725 #

3. intelVISA ◴[31 Mar 25 07:49 UTC] No.43532304[source]▶

>>43532082 #

Too much stakeholder alignment?

replies(1): >>43533171 #

4. tanepiper ◴[31 Mar 25 10:09 UTC] No.43533171{3}[source]▶

>>43532304 #

More like last year they laid off a whole bunch of people. We've been waiting for several open tickets on GitHub to be picked up, some were but seem to be abandoned and others just ignored.

5. 1oooqooq ◴[31 Mar 25 11:30 UTC] No.43533725[source]▶

>>43532082 #

the only reason any company does or don't anything: not required for sales.

in 2019 i saw a fortune500 tech company put in place their own vulnerability scanner internal application which included this feature for our enterprise github repos. the tool was built and deployed to an old Linux docker image that was never updated to not be the target of the attack they were preventing... they never vetted to random version they started with either. i guess one can still use zip bomb or even the xz backdoor for extra irony points when attacking that system.

anyway, the people signing github checks also get promoted by pretending to implement that feature internally.