Dangerous by default: Insecure GitHub Actions found in MITRE, Splunk, and other open source repositories

The Sysdig Threat Research Team (TRT) identified critical security vulnerabilities in GitHub Actions workflows across various high-profile open source projects, such as those maintained by MITRE, Splunk, and the Spotipy Python library. These vulnerabilities primarily revolve around the misuse of the pull_request_target event, which can expose repository secrets and grant high-privilege access to attackers when handling pull requests from untrusted sources. Despite the availability of well-documented methods for securing CI/CD workflows, many projects remain susceptible due to a lack of maturity in implementing security best practices. The article highlights specific instances where these vulnerabilities were exploited to exfiltrate secrets, and it offers recommendations for mitigating such risks, including splitting workflows into privileged and unprivileged components, restricting GITHUB_TOKEN permissions, and using runtime threat detection tools like Falco Actions. The Sysdig TRT continues to collaborate with affected organizations to address these issues and improve the security posture of open source projects.