技能 编程开发 CI/CD供应链攻击检测

CI/CD供应链攻击检测

v20260601
detecting-supply-chain-attacks-in-ci-cd
本工具用于扫描CI/CD流水线(如GitHub Actions)的配置文件,以检测潜在的供应链安全漏洞。它可以识别未固定版本的依赖、脚本注入风险、依赖混乱以及敏感信息泄露,帮助用户强化构建系统,提升安全防护等级。
获取技能
379 次下载
概览

Detecting Supply Chain Attacks in CI/CD

When to Use

  • When investigating security incidents that require detecting supply chain attacks in ci cd
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

Scan CI/CD workflow files for supply chain risks by parsing GitHub Actions YAML, checking for unpinned dependencies, script injection vectors, and secrets exposure.

import yaml
from pathlib import Path

for wf in Path(".github/workflows").glob("*.yml"):
    with open(wf) as f:
        workflow = yaml.safe_load(f)
    for job_name, job in workflow.get("jobs", {}).items():
        for step in job.get("steps", []):
            uses = step.get("uses", "")
            if uses and "@" in uses and not uses.split("@")[1].startswith("sha"):
                print(f"Unpinned action: {uses} in {wf.name}")

Key supply chain risks:

  1. Unpinned GitHub Actions (using @main instead of SHA)
  2. Script injection via ${{ github.event }} expressions
  3. Overly permissive GITHUB_TOKEN permissions
  4. Third-party actions with write access to repo
  5. Dependency confusion via public/private package name collision

Examples

# Check for script injection in run steps
for step in job.get("steps", []):
    run_cmd = step.get("run", "")
    if "${{" in run_cmd and "github.event" in run_cmd:
        print(f"Script injection risk: {run_cmd[:80]}")
信息
Category 编程开发
Name detecting-supply-chain-attacks-in-ci-cd
版本 v20260601
大小 8.82KB
更新时间 2026-06-03
语言