Prerequisites • Resources • Learning Objectives

In this workshop we will learn about the risk of script injection in GitHub Actions workflows, and how to mitigate that risk.

• Who is this for: developers, devops engineers
• What you'll learn: the risk of script Injections in GitHub Actions workflows, and how to migirate that risk
• What you'll build: workflows that are not vulnerable to script injection attacks

In this workshop, you will:

• Understand Script Injection vulnerabilities in GitHub Actions Workflows
• Learn how CodeQL can detect Script Injection in GitHub Actions Workflows
• Understand how GitHub Advanced Security can mitigate Script Injection vulnerabilities
• Learn how to enhance the detection of vulnerabilties in Workflows using third-party queries
• Learn how to fix the Script Injection vulnerabilties in GitHub Actions Workflows
• Learn how to use the Codespace for CodeQL to develop custom queries
• Learn how to create custom queries to further enhance the protection of GitHub Actions Workflows

Before joining the workshop, there are a few items that you will need to install or bring with you.

• An account on GitHub.com
• A public repo created from this template repo
• Enable GitHub Actions in your repository
• Enable GitHub Advanced Security in your repository

There are many issue ops things you can do with GitHub actions. A common use case is request/approval process:

1. User opens an issue requesting X.
2. If conditions are met, approval is automatic, and a GitHub actions workflow fulfills the request.

An example of this is request-repo-create.

In this example, user input from the issue body is parsed and used in the workflow as the name of the new repository to be created.

You should always be careful when using user inputs in your worfklows. User input can come from any of the following sources:

github.event.issue.title  
github.event.issue.body  
github.event.pull_request.title  
github.event.pull_request.body  
github.event.comment.body  
github.event.review.body  
github.event.review_comment.body  
github.event.pages.*.page_name  
github.event.commits.*.message  
github.event.head_commit.message  
github.event.head_commit.author.email  
github.event.head_commit.author.name  
github.event.commits.*.author.email  
github.event.commits.*.author.name  
github.event.pull_request.head.ref  
github.event.pull_request.head.label  
github.event.pull_request.head.repo.default_branch  
github.head_ref  

The Check issue title workflow simply checks if the title (github.event.issue.title) of the workflow begins with octocat. If so, the workflow succeeds. If not, the workflow fails.

The Check issue title with action workflow uses an action that simply checks if the input of the action begins with octocat. If so, the action succeeds. If not, the action fails.

This workflow and action above are vulnerable to script injection. Let's find out why they are vulnerable, and how to exploit them. Exercise 1

The Check issue comment workflow simply checks if the issue comment (github.event.comment.body) begins with octocat. If so, the workflow succeeds. If not, the workflow fails.

This workflow is vulnerable to script injection. Let's find out why it is vulnerable, and how to exploit it.
Exercise 2

In CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.

In CodeQL, the Javascript language extractor includes support for YAML and the libraries support Actions framework. GitHub also provides queries for some common CWEs in Actions Workflows.

GitHub Advanced Security uses CodeQL as the tool for Code Scanning. Code Scanning creates security alerts when vulnerabilties are found. These alerts can be viewed in GitHub and can block merges in protected branches. When a developer fixes a vulnerability, GitHub willl automatically close the alert as resolved.

In the next exercise we will learn how CodeQL can detect Script Injection in GitHub Actions Workflows and understand how GitHub Advanced Security can mitigate Script Injection vulnerabilities in Workflows.

Exercise 3

Now let's learn how to mitigate the script injection vulnerability in the run command.
Exercise 4

Now let's learn how to mitigate the script injection vulnerability in the github-script action.
Exercise 5

We know CodeQL is a perfect tool for detecting vulnerablities because:

• It helps us to treat Workflows as code
• Treat code as data and extract it into a database
• Look for known vulnerabilities using built-in queries
• Create custom queries and expand coverage;
• Use code scanning to create alerts
• Use actions to block PRs
• Use deployment protection rules to block jobs

In the next exercise we will explore how to expand the coverage by using third party queries to detect unpinned actions in Workflows.

Exercise 6

In the next exercise we will explore how to expand the coverage by using custom queries to detect improper use of AWS credentials in Workflows.

Exercise 7

You can learn about script injections at Understanding the risk of script injections

You can learn about security hardening for GitHub Actions at Security hardening for GitHub Actions

You can find examples of CodeQL queries at CodeQL queries

You can find CodeQL tutorials in our CodeQL documentation. The tutorials introduce concepts that you can use this codespace to practice.

We also have CodeQL language guides to help you experiment and learn how to write effective and efficient queries for CodeQL databases generated from the languages supported in CodeQL analysis.

You can prepare for certification in GitHub Advanced Security and Code Scanning by visiting the Microsoft Learning Page for Advanced Security.

You can learn about Codespaces at Codespaces