Replies: 1 comment 1 reply
-
|
We generally discourage usage of "random" GitHub actions and apps. It's part of why also separate build from release steps and the release part is the only get gets secrets available to them limiting what a bad actor can do. With the increase of prs with agents; being diligent about this becomes more important. I could imagine we would need to set harder limits to avoid someone missing a GitHub action detail update in a PR. |
Beta Was this translation helpful? Give feedback.
-
|
I would assume that harder limits may be necessary at least for the quarkiverse where it can happen that a repository is not well maintained and other github actions are run as in the normal quarkus repository. I don't think that there are immediate measure necessary but maybe this is something worth an issue. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
As seen in the previous days, attackers can also leverage misconfigurations of github actions to gain access on repositories.
See(aquasecurity/trivy#10265) and resulting discussion: (aquasecurity/trivy#10278)
Is there a need for the quarkus project and quarkiverse projects to have some kind of scanning for misconfigured github actions?
Beta Was this translation helpful? Give feedback.
All reactions