www.chainguard.dev
Open in
urlscan Pro
52.17.119.105
Public Scan
Submitted URL: http://www.chainguard.dev/unchained/working-as-unexpected?utm_source=tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74...
Effective URL: https://www.chainguard.dev/unchained/working-as-unexpected?utm_source=tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74...
Submission: On June 05 via api from IE — Scanned from DE
Effective URL: https://www.chainguard.dev/unchained/working-as-unexpected?utm_source=tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74...
Submission: On June 05 via api from IE — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/21744766/f0f65f0c-b494-4703-8434-e0c0b53fad61
<form id="hsForm_f0f65f0c-b494-4703-8434-e0c0b53fad61" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/21744766/f0f65f0c-b494-4703-8434-e0c0b53fad61"
class="hs-form-private hsForm_f0f65f0c-b494-4703-8434-e0c0b53fad61 hs-form-f0f65f0c-b494-4703-8434-e0c0b53fad61 hs-form-f0f65f0c-b494-4703-8434-e0c0b53fad61_852f0d24-efcb-4b79-a519-cbdf03f9f749 hs-form stacked"
target="target_iframe_f0f65f0c-b494-4703-8434-e0c0b53fad61" data-instance-id="852f0d24-efcb-4b79-a519-cbdf03f9f749" data-form-id="f0f65f0c-b494-4703-8434-e0c0b53fad61" data-portal-id="21744766"
data-test-id="hsForm_f0f65f0c-b494-4703-8434-e0c0b53fad61" data-hs-cf-bound="true">
<fieldset class="form-columns-1">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your Email" for="email-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-f0f65f0c-b494-4703-8434-e0c0b53fad61" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-3">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-firstname-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="firstname-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="firstname" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-lastname-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="lastname-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="lastname" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-company-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="company-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="company" class="hs-input" type="hidden" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-2">
<div class="hs_sub_industry hs-sub_industry hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-sub_industry-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="sub_industry-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="sub_industry" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_latest_source___all hs-latest_source___all hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-latest_source___all-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="latest_source___all-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="latest_source___all" class="hs-input" type="hidden" value="Newsletter Subscription"></div>
</div>
</fieldset>
<fieldset class="form-columns-3">
<div class="hs_sector hs-sector hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-sector-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="sector-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="sector" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_industry_group hs-industry_group hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-industry_group-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="industry_group-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="industry_group" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_industry_dropdown hs-industry_dropdown hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-industry_dropdown-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="industry_dropdown-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="industry_dropdown" class="hs-input" type="hidden" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-3">
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your utm_medium"
for="utm_medium-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span>utm_medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your utm_campaign"
for="utm_campaign-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span>utm_campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your utm_content"
for="utm_content-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span>utm_content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-3">
<div class="hs_numemployees hs-numemployees hs-fieldtype-number field hs-form-field" style="display: none;"><label id="label-numemployees-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="numemployees-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="numemployees" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term hs-utm_term hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your utm_term"
for="utm_term-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span>utm_term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your utm_source"
for="utm_source-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span>utm_source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value="tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74-306627fd7da9-000000/l7szYVRVhu3vAHqaCnWEe7ieWn_btf1gIpDpnS57byE=356/"></div>
</div>
</fieldset>
<fieldset class="form-columns-3">
<div class="hs_linkedin hs-linkedin hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-linkedin-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="linkedin-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="linkedin" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_clearbit_job_sub_role hs-clearbit_job_sub_role hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-clearbit_job_sub_role-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="clearbit_job_sub_role-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="clearbit_job_sub_role" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_clearbit_job_role hs-clearbit_job_role hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-clearbit_job_role-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="clearbit_job_role-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="clearbit_job_role" class="hs-input" type="hidden" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-3">
<div class="hs_state hs-state hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-state-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="state-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="state" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_country_hubspot_loaded hs-country_hubspot_loaded hs-fieldtype-select field hs-form-field" style="display: none;"><label id="label-country_hubspot_loaded-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="country_hubspot_loaded-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="country_hubspot_loaded" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_city hs-city hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-city-f0f65f0c-b494-4703-8434-e0c0b53fad61" class="" placeholder="Enter your "
for="city-f0f65f0c-b494-4703-8434-e0c0b53fad61"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="city" class="hs-input" type="hidden" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="legal-consent-container">
<div class="hs-richtext">
<p>Chainguard may use the contact information you provide to contact you about our products and services. You may unsubscribe at anytime. For more information, check out our
<a href="https://www.chainguard.dev/privacy-notice" target="_blank" rel="nofollow">Privacy Policy</a>.</p>
</div>
</div>
</fieldset>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1717589035582","formDefinitionUpdatedAt":"1712950677326","lang":"en","legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[38877867],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":38877867,\"label\":\"I agree to receive other communications from Chainguard.\",\"required\":false}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"communicationConsentText\":\"<p>Chainguard is committed to protecting and respecting your privacy. If you consent to us contacting you with information about our products and services, as well as other content that may be of interest to you, please tick below to say how you would like us to contact you:</p>\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"In order to provide you the content requested, we need to store and process your personal data. If you consent to us storing your personal data for this purpose, please tick the checkbox below.\",\"processingConsentCheckboxLabel\":\"I agree to allow Chainguard to store and process my personal data.\",\"privacyPolicyText\":\"<p>Chainguard may use the contact information you provide to contact you about our products and services. You may unsubscribe at anytime. For more information, check out our <a href=\\\"https://www.chainguard.dev/privacy-notice\\\" target=\\\"_blank\\\" rel=\\\"nofollow\\\">Privacy Policy</a>.</p>\",\"isLegitimateInterest\":true}","embedType":"REGULAR","disableCookieSubmission":"true","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","pageTitle":"Working as unexpected","pageUrl":"https://www.chainguard.dev/unchained/working-as-unexpected?utm_source=tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74-306627fd7da9-000000/l7szYVRVhu3vAHqaCnWEe7ieWn_btf1gIpDpnS57byE=356/","urlParams":{"utm_source":"tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74-306627fd7da9-000000/l7szYVRVhu3vAHqaCnWEe7ieWn_btf1gIpDpnS57byE=356/"},"isHubSpotCmsGeneratedPage":false,"hutk":"9a98d6b8616a57e0e3dc383ea875e32e","__hsfp":1608735010,"__hssc":"1638499.1.1717589036910","__hstc":"1638499.9a98d6b8616a57e0e3dc383ea875e32e.1717589036910.1717589036910.1717589036910.1","formTarget":"#hbspt-form-852f0d24-efcb-4b79-a519-cbdf03f9f749","sfdcCampaignId":"701Uu000003Og9GIAS","rumScriptExecuteTime":2621.900001525879,"rumTotalRequestTime":3064.6000003814697,"rumTotalRenderTime":3157,"rumServiceResponseTime":442.6999988555908,"rumFormRenderTime":92.39999961853027,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1717589036921,"originalEmbedContext":{"portalId":"21744766","formId":"f0f65f0c-b494-4703-8434-e0c0b53fad61","region":"na1","target":"#hbspt-form-852f0d24-efcb-4b79-a519-cbdf03f9f749","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true,"sfdcCampaignId":"701Uu000003Og9GIAS"},"correlationId":"852f0d24-efcb-4b79-a519-cbdf03f9f749","renderedFieldsIds":["email","firstname","lastname","company","sub_industry","latest_source___all","sector","industry_group","industry_dropdown","utm_medium","utm_campaign","utm_content","numemployees","utm_term","utm_source","linkedin","clearbit_job_sub_role","clearbit_job_role","state","country_hubspot_loaded","city"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5376","sourceName":"forms-embed","sourceVersion":"1.5376","sourceVersionMajor":"1","sourceVersionMinor":"5376","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1717589035710,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Working as unexpected\",\"pageUrl\":\"https://www.chainguard.dev/unchained/working-as-unexpected?utm_source=tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74-306627fd7da9-000000/l7szYVRVhu3vAHqaCnWEe7ieWn_btf1gIpDpnS57byE=356/\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36\",\"urlParams\":{\"utm_source\":\"tldrwebdev/1/0100018fe817e220-180dd738-4679-4557-8a74-306627fd7da9-000000/l7szYVRVhu3vAHqaCnWEe7ieWn_btf1gIpDpnS57byE=356/\"},\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1717589035713,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1717589036913,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"9a98d6b8616a57e0e3dc383ea875e32e\"}"}]}"><iframe
name="target_iframe_f0f65f0c-b494-4703-8434-e0c0b53fad61" style="display: none;"></iframe>
</form>Text Content
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy.
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Cookies settings
AcceptDecline
Unchained
Products
Chainguard Images
Reduce your attack surface with hardened container images.
Solutions
Container Image Security
Run hardened container images.
Vulnerability Remediation
Eliminate CVEs daily.
Open Source Software Security
Consume OSS safely.
Compliance & Risk Mitigation
Meet and maintain compliance.
Software Supply Chain Security
Build secure software by default.
Developer
Docs
Open source
Resources
Unchained blog
Chainguard labs
Customer stories
Events
Security
Education
Company
About
Newsroom
Careers
Chainguard love
Sign inContact
Unchained
Products
Chainguard Images
Reduce your attack surface with hardened container images.
Solutions
Developer
Resources
Company
Sign InContact
Back
Container Image Security
Run hardened container images.
Vulnerability Remediation
Eliminate CVEs daily.
Open Source Software Security
Consume OSS safely.
Compliance & Risk Mitigation
Meet and maintain compliance.
Software Supply Chain Security
Build secure software by default.
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Events
Security
Education
Back
About
Newsroom
Careers
Chainguard love
Back
About
Newsroom
Careers
Engineering
WORKING AS UNEXPECTED
Matt Moore, CTO Chainguard
May 31, 2024
copied
TLDR: This is a tale of a “working as intended” branch protection bypass that
allows for protected credential exfiltration. This is a security vulnerability
that was reported to GitHub via HackerOne on February 2nd, 2024, and fairly
quickly closed as “working as expected.” While GitHub may expect this behavior,
it violates the principle of least surprise, and so I wanted to outline this
vulnerable behavior so that folks don’t fall into the trap it creates.
As part of hardening Chainguard’s security posture, I am continuously in pursuit
of ways to leverage controls to treat GitHub like a production environment. On
this particular excursion, I was exploring whether I could eliminate the ability
to create new branches directly on our upstream repository with a wildcard
branch protection *:
My hypothesis was that the above might prevent folks from creating new branches
on our upstream repository (effectively that this would protect non-existing
branches in addition to existing branches). It was simple enough to test with an
experiment, and I was (partially) wrong. However, now that the branch exists, it
(somewhat obviously) shows up as protected. Hmm…
I found this intriguing because I had also recently been exploring the use of
GitHub’s environments feature, which allows you to restrict the visibility of
certain secrets to specific branches or to protected branches. Bear in mind,
this feature is the most secure level of secret storage GitHub offers. You can
configure it like so:
So my very next question was: If my new branch immediately becomes protected,
could its workflows immediately be eligible to access these secrets? To test
that theory, I crafted the following workflow to exfiltrate a secret I created
in the mattmoor-testing environment above called NOT_A_SECRET:
on:
push:
branches:
name: example secret exfiltration
jobs:
build:
runs-on: ubuntu-latest
environment: mattmoor-testing
steps:
- shell: bash
run: |
echo ${{ secrets.NOT_A_SECRET }} | base64
Somewhat unsurprisingly this worked:
The full reproduction steps I gave to GitHub are:
At first, I thought (likely similar to GitHub) that this was a vanishingly small
niche. After all, how widely used are wildcard branch protection rules that
folks expose secrets to? However, the more it marinated in my head, the more it
concerned me, and a very plausible scenario emerged.
DIGGING DEEPER
On previous open source projects I have worked on, it was pretty typical to
create long-lived release branches from which we could cut patch releases (e.g.
release-1.2). We protected these branches with a protection rule that applied to
release-*. Now suppose that we wanted our release workflows to have access to
sensitive secrets that only the release workflow should have, say for instance
signing keys (e.g. terraform provider GPG keys, deb, rpm, apk signing keys).
Gulp.
Initially, I had also questioned the value of such an attack with excuses like:
my branch was pretty obvious (it is protected, so I couldn’t just delete it to
cover my tracks), the extra workflow was pretty obvious, and the way I
exfiltrated the secret made it available to anyone (not just me). This also did
not age well as it marinated in my head.
For projects with many releases I could very likely hide my branch typo-style
with something like release-1.02 or release-.1.2, which would look like an
innocent error. To hide the workflow, I could put the exfiltration itself into
an existing workflow, so it blended into the other action executions of the
project. Lastly, instead of using something as trivial as base64 to avoid
GitHub’s secret masking I could do something that made it only accessible to me:
I could post it to a service I own. Or if the execution were somehow network
jailed (not something Actions supports), then I could encrypt it with an
asymmetric key included in the branch and log the encrypted value instead.
But I’d have to be a writer on the repo. True, but this is also more common than
you’d think. After all, GitHub locks up all kinds of useful permissions behind
having this level of access, including things like being able to label issues,
move them around project boards, or interact with milestones. In fact, the main
feature that previously allowed me as a maintainer to sleep at night with a
non-trivial number of repo editors was ironically … (drumroll) ... branch
protections.
Now here’s a piece I missed in my initial branch protection configuration,
which helps to mitigate this, but does not completely close the hole. I’d missed
this because of a subtle text difference between what is displayed for new
branch protections (above) vs. existing branch protections (below):
New branch protections
Existing branch protections
I was looking at an existing branch protection when exploring these knobs, which
indicates that anyone with the ability to write to the repo can still create
branches. However, the left hand side indicates that only administrators can
create new branches (progress, but ideally this would be configurable with):
BEST PRACTICES FOR BRANCH PROTECTIONS
If you are concerned about vulnerable behaviors in GitHub branch protections,
here are some takeaways and best practices to consider:
1. Favor the use of repository rulesets (new) over branch protections (old),
which can actually block administrators if they are not explicitly put onto
the bypass list.
2. Only use wildcards in branch protections when absolutely necessary.
3. When using wildcard branch protections always restrict who can create
matching branches (e.g. so that only admins can create release branches).
4. Only trust branch protections in environments (vs. concrete branches) when
absolutely necessary.
5. If you do find yourself doing the above, consider requiring administrators
to approve environment access.
6. Prefer the use of a cloud service provider’s secret store accessed via OIDC
federation over GitHub’s built-in secret storage, and ensure that the
federation rules are as restrictive as possible.
As I mentioned earlier, GitHub marked this issue as working as intended, but
(silver linings) it freed me to at least help educate you all to be on the
lookout for vulnerable behaviors like this.
If you are interested in learning more about Chainguard’s approach to our own
product security and internal practices with defense-in-depth principles, visit
our Trust Center or learn more about our Octo STS project here.
Share on Twitter Share on LinkedIn Share on Email
RELATED ARTICLES
Engineering
Wolfi at work: Minimal developer workstations in the cloud
May 29, 2024
Engineering
Reducing vulnerabilities in Backstage with Chainguard’s Wolfi
May 16, 2024
Engineering
Open sourcing Octo STS
May 2, 2024
READY TO LOCK DOWN YOUR SUPPLY CHAIN?
Talk to our customer obsessed, community-driven team.
Get started
Products
Chainguard Images
Solutions
Container Image Security
Vulnerability Remediation
Open Source Software Security
Compliance & Risk Mitigation
Software Supply Chain Security
Developer
Open source
Docs
Resources
Unchained blog
Chainguard Labs
Customer stories
Scanners
Security
Education
Company
About
Newsroom
Careers
Chainguard love
Legal
Contact
Follow
Newsletter
Twitter
GitHub
LinkedIn
TikTok
© 2024 Chainguard, Inc.
Contact
Products
Chainguard Images
Solutions
Container Image SecurityVulnerability RemediationOpen Source Software
SecurityCompliance & Risk MitigationSoftware Supply Chain Security
Developer
Open Source
Docs
Resources
Unchained blogChainguard labsCustomer storiesScannersSecurity
Education
Company
AboutNewsroomLegalCareersChainguard love
Follow
Newsletter
Twitter
GitHub
LinkedIn
TikTok
Contact
Be the first to know
Sign up for Chainguard emails to be the first to see product updates, news, and
events.
Email*
utm_medium
utm_campaign
utm_content
utm_term
utm_source
Chainguard may use the contact information you provide to contact you about our
products and services. You may unsubscribe at anytime. For more information,
check out our Privacy Policy.