Source Code at Risk: GitHub Token Leaks in CI/CD Processes

Palo Alto Networks has discovered vulnerabilities within the CI/CD processes of several prominent open-source projects, including those developed by Google, Microsoft, AWS, and Red Hat. The issue pertains to the leakage of GitHub tokens, which can be exploited for unauthorized access to private repositories, theft of source code, or injection of malicious software.

The tokens end up in artifacts due to a combination of factors: insecure default settings, user configuration errors, and insufficient security checks during the setup of workflows in GitHub. A key element in this problem is the widely used “actions/checkout” function in GitHub workflows, which clones repository code, making it accessible for workflow execution.

By default, this function stores the token in the local .git directory. If this directory is inadvertently uploaded as an artifact, the token becomes accessible to outsiders. Additionally, the directory may contain other sensitive data, such as API keys and cloud service access tokens.

The problem is exacerbated by the fact that artifacts generated during CI/CD processes, such as build and test results, may be stored and remain accessible for up to three months. Another risk involves environment variables used in CI/CD pipelines to store GitHub tokens, which could accidentally be logged, making them accessible through artifacts.

An attacker who gains access to leaked tokens can exploit various race condition scenarios, attempting to extract and use the tokens before they expire. GitHub tokens are valid for the duration of a workflow, and their usability depends on the specific context. For instance, the “Actions_Runtime_Token” used by GitHub for managing caching and artifacts is typically active for six hours, limiting the window of opportunity for an attack.

Palo Alto Networks identified 14 major open-source projects where token leaks occurred and notified the developers. Among these projects are Firebase (Google), OpenSearch Security (AWS), Clair (Red Hat), JSON Schemas (Microsoft), and others.

GitHub users are advised to review their CI/CD process configurations, avoid uploading entire directories as artifacts, sanitize logs, and regularly audit their configurations. It is also crucial to establish the minimum necessary access rights for tokens to mitigate risks in case of a leak.

Despite Palo Alto Networks’ findings, the core issues remain unresolved, as GitHub has opted not to address the risk, placing the responsibility for artifact protection on the users. Given the circumstances, GitHub users must recognize the risks, assess their vulnerability, and take proactive measures to prevent future leaks.

Users are strongly encouraged to reevaluate their CI/CD pipeline configurations, avoid including entire directories in artifacts, clean logs, and regularly review workflow settings. Additionally, default settings for actions like “actions/checkout” should be modified to prevent the storage of tokens and other sensitive data. Limiting token permissions to the minimum necessary for workflow execution will also help reduce potential damage in the event of a leak.