←back to thread

Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)
297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0.215s | source
Show context
nyrikki ◴[30 Mar 25 21:51 UTC] No.43528008[source]
No mention why this temp token had rights to do things like create a new deployments and generate artifact attestations?

For their fix, they disabled debug logs...but didn't answer if they changed the temp tokens permissions to something more appropriate for a code analysis engine.

replies(6): >>43528290 #>>43531049 #>>43533461 #>>43538343 #>>43538350 #>>43545199 #
1. beaugunderson ◴[31 Mar 25 18:47 UTC] No.43538343[source]
Temporary action tokens have full write by default; you have to explicitly opt for a read-only version.

    > Read and write permissions
    > Workflows have read and write permissions in the repository for all scopes.
If you read this line of the documentation (https://docs.github.com/en/actions/security-for-github-actio...) you might think otherwise:

    > If the default permissions for the GITHUB_TOKEN are restrictive, you may have to elevate the permissions to allow some actions and commands to run successfully.
But I can confirm that in our GitHub organization "Read and write permissions" was the default, and thus that line of documentation makes no sense.