Exploring Vulnerabilities in GitHub Reusable Workflows: Richard’s Expert Advice on OIDC Attacks

CICD Security: Unveiling Vulnerabilities in GitHub Reusable Workflows
In this episode, Johannes and Richard dive deep into CICD pipeline security, focusing on GitHub reusable workflows and keyless signing using SIGstore.
Richard explains the intricacies of signing processes and the importance of linking source code to software in a secure environment. They discuss a key vulnerability found in GitHub workflows that can be exploited if not properly secured.
Richard showcases examples from repositories like ArgoCD and Bank Vaults, detailing how these issues can be mitigated with better access control measures. Tune in to learn about securing your CICD pipelines and ensuring trust in your software's identity.
As an AWS Security Hero Richard is an expert in security related topics and he showcases a vulnerability in reusable Github Workflows that you should know about.

Reach out to Richard:
  / richardfan1126  

Links:
- Blog post https://blog.richardfan.xyz/2024/08/0...
- Sigstore https://www.sigstore.dev/
- https://search.sigstore.dev/

00:00 Introduction to CICD and Episode Overview
00:21 Guest Introduction and Background
03:38 Discussion on Supply Chain Security
07:44 Deep Dive into Code Signing
11:48 Exploring Keyless Signing and SIGstore
13:00 Simulating an Attack on Reusable Workflows
25:53 Mitigation Strategies and Fixes
36:49 Final Thoughts and Security Best Practices