Trivy Github repository is empty?

varunsh-coder · 2026-03-01T11:08:46+00:00

This is most likely due to this ongoing security incident where an AI bot is compromising GitHub Actions workflows. https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation#attack-6-aquasecuritytrivy---evidence-cleared

varunsh-coder · 2024-12-23T12:51:03+00:00

While it’s true that Azure DevOps has stricter controls around task approvals, it doesn’t entirely eliminate the risks of CI/CD supply chain attacks.

Supply chain risks still exist: Even in Azure DevOps, third-party libraries used during the build process can be malicious or compromised. Additionally, the runners themselves could be targeted, as was the case with the SolarWinds breach. These scenarios highlight that CI/CD environments are not inherently immune to security threats.

Future availability in Azure DevOps: I’m the cofounder of StepSecurity, and we’re actively working on extending Harden-Runner to platforms like Azure DevOps, GitLab, BitBucket, and others to address these risks comprehensively. If you’re interested in learning more or staying updated, feel free to reach out to us at [[email protected]](mailto:[email protected]).Happy to answer any questions or discuss further!

varunsh-coder · 2024-04-17T15:16:27+00:00

Learn about a “Pwn Request” vulnerability in Google’s open-source project Flank.

The vulnerability allowed anyone with a GitHub Account to steal Google service account credentials which were used as a repository secret along with obtaining access to a GITHUB_TOKEN with write access.

Google’s VRP rewarded the researcher with a $7,500 bug bounty for this report as a Software Supply Chain compromise under the “Standard OSS Project” tier.

varunsh-coder · 2022-11-12T14:47:19+00:00

This attack method and many similar attacks use DNS exfiltration/ send back data to identify the CI/ CD pipeline or machine on which the attack was successful. If you block such outbound traffic, you can prevent exfiltration of metadata/ secrets. While this is in general hard to do, for GitHub Actions, you can do this using the Harden Runner GitHub Action. https://github.com/step-security/harden-runner

varunsh-coder · 2022-08-31T17:31:26+00:00

The problem we are trying to solve is to automatically calculate what the minimum GITHUB_TOKEN permissions should be for a given workflow.
We are solving this problem by building a knowledge base of permissions needed by each GitHub Action.
If you own a GitHub Action, contribute to the SecureWorkflows project by adding a YAML file describing the permissions your Action needs.

Please share with those who maintain a GitHub Action.

varunsh-coder · 2022-08-16T17:33:09+00:00

List of merged pull requests for the 30 critical projects can be found here:

https://github.com/step-security/secure-workflows/issues/462

varunsh-coder · 2022-08-16T17:32:33+00:00

List of merged pull requests for the 30 critical projects can be found here: https://github.com/step-security/secure-workflows/issues/462

varunsh-coder · 2022-05-24T13:54:03+00:00

Thank you for the feedback!

w.r.t not being able to run a container, let me clarify. It can be used to monitor jobs that use containers to run steps. As an example, the super-linter Action runs a container and as you can see those connections are monitored. https://app.stepsecurity.io/github/harden-runner-canary/mruby/actions/runs/2315007834. It even shows the container image being used to make calls.

The limitation is if the entire job is run in a container. That is fairly rare for GitHub Actions workflows, as most of them run directly on ubuntu-latest (runs-on: ubuntu-latest).

Hope that clarifies.

W.r.t fair amount of manual work, that is true. Some of the ideas there are to store the allowed listed outside the workflow in a backend and notify the developer (do not block the connection) if a new connection is observed which is not in the list, which can then be approved. Or delegate the monitoring and approval to a different entity, which can be a security team, for example. We could also maintain allowed list for popular Actions.

Another idea is to use it on important projects and for important workflows where the risk is higher, so the extra work is justified. Just today I got to know about another case where backdoor was added to a Python library to send environment variables to an external domain. So workflows that have sensitive credentials can be prioritized over others.

varunsh-coder · 2022-03-25T03:55:21+00:00

If you know/ would like to learn to code in addition to learning cybersecurity (knowing to code is a plus point for internships/ jobs), consider contributing to some open source projects, e.g. https://github.com/ossf/scorecard or some of the other open source security foundation projects, or other security related projects. It is a great way to learn and also get noticed by hiring managers, who are sometimes managing these projects.

If you would not like to code, try to participate in bug bounty programs. https://hackerone.com/bug-bounty-programs is a good start. Most large software companies have bug bounty programs. You can find people's experiences reporting these issues here: https://medium.com/tag/bug-bounty/latest

varunsh-coder · 2022-03-24T21:52:50+00:00

Checkout this GitHub Actions workflow where the outbound calls made by some of these malicious packages are detected. Harden-Runner GitHub Action detects and blocks outbound calls for this exact reason - to identity malicious packages.

https://github.com/varunsh-coder/supply-chain-goat/actions/runs/2036805074

varunsh-coder

TROPHY CASE

Welcome to Reddit,