Ensure that CI/CD apps do not use too broad permissions
ID |
app_permissions |
Severity |
critical |
Family |
CI/ CD Security |
Tags |
cicd-security, infrastructure, reachable, security, supply-chain |
Description
Ensure that CI/CD apps do not use too broad permissions.
This check tries to determine if the organization uses any apps whose permissions are too broad.
Security
Using a CI/CD (Continuous Integration/Continuous Deployment) application integration with overly broad permissions can pose several security risks. Here are some potential problems you may face:
-
Unauthorized Access: If the CI/CD integration has excessive permissions, it may grant access to sensitive resources or actions to unauthorized individuals. This could result in data breaches, unauthorized deployments, or unintended changes to production environments.
-
Privilege Escalation: If an attacker gains access to the CI/CD system, they may exploit the broad permissions to elevate their privileges and gain control over critical systems or data. This can lead to widespread damage or unauthorized actions within your infrastructure.
-
Credential Exposure: Broad permissions may require storing credentials or access tokens within the CI/CD system. If these credentials are not adequately protected, they may be compromised, allowing attackers to impersonate authorized users and carry out malicious activities.
-
Increased Attack Surface: By granting broad permissions, you expand the attack surface of your CI/CD integration. Any vulnerabilities or misconfigurations in the integration can be targeted by attackers to gain unauthorized access or disrupt your deployment pipeline.
-
Malicious or Accidental Code Changes: With excessive permissions, a compromised or malicious user could introduce unauthorized code changes into the CI/CD process. This may lead to deploying malicious software, introducing vulnerabilities, or causing system instability.
-
Insider Threats: If access to the CI/CD integration is not tightly controlled or monitored, it increases the risk of insider threats. Authorized users with broad permissions could abuse their privileges, intentionally or accidentally, to cause damage or disrupt operations.
-
Lack of Accountability: Overly broad permissions can make it challenging to track and attribute actions performed through the CI/CD integration. This lack of accountability makes it difficult to investigate security incidents, identify the responsible party, or detect unauthorized activities.
To mitigate these risks, it is crucial to follow security best practices, including:
-
Implement the principle of least privilege, granting only the necessary permissions to the CI/CD integration and limiting access to sensitive resources.
-
Regularly review and update permissions, removing unnecessary privileges.
-
Enable detailed logging and monitoring to detect and investigate any suspicious or unauthorized activities.
Mitigation / Fix
Establish the app permissions allowed in your organization and review those apps not fitting on it. Update the detector configuration accordingly to your needs.
Configuration
The detector has a property named policy which contains the permissions allowed for each CI/CD system allowed (currently only GitHub is allowed).
For GitHub, it looks like this:
policy:
- cicd: github_actions
permissions:
# Retrieve Pages statuses, configuration, and builds, as well as create new builds. (none, read, write)
pages: read
# Checks on code. (none, read, write)
checks: read
# Issues and related comments, assignees, labels, and milestones. (none, read, write)
issues: read
# Workflows, workflow runs and artifacts. (none, read, write)
actions: read
# Organization members and teams. (none, read, write)
members: read
# Manage Actions repository secrets. (none, read, write)
secrets: none
# Repository contents, commits, branches, downloads, releases, and merges. (none, read, write)
contents: read
# Search repositories, list collaborators, and access repository metadata. (read)
metadata: read
# Packages published to the GitHub Package Platform. (none, read, write)
packages: read
# Commit statuses. (none, read, write)
statuses: read
# Update GitHub Action workflow files. (none, write)
workflows: read
# Create, edit, delete and list Codespaces. (none, read, write)
codespaces: read
# Deployments and deployment statuses. (none, read, write)
deployments: read
# Discussions and related comments and labels. (none, read, write)
discussions: read
# Manage repository environments. (none, read, write)
environments: read
# Manage a repository's merge queues (none, read, write)
merge_queues: read
# Pull requests and related comments, assignees, labels, milestones, and merges. (none, read, write)
pull_requests: read
# Repository creation, deletion, settings, teams, and collaborators. (none, read, write)
administration: read
# View and manage code scanning alerts. (none, read, write)
security_events: read
# Manage the post-receive hooks for a repository. (none, read, write)
repository_hooks: read
# Manage team discussions and related comments. (none, read, write)
team_discussions: read
# Manage Actions repository variables. (none, read, write)
actions_variables: none
# View an organization's plan. (none, read)
organization_plan: none
# Restrict Codespaces user secrets modifications to specific repositories. (none, read, write)
codespaces_secrets: none
# Manage Dependabot repository secrets. (none, read, write)
dependabot_secrets: none
# Manage the post-receive hooks for an organization. (none, read, write)
organization_hooks: read
# Access Codespaces metadata including the devcontainers and machine type. (none, read)
codespaces_metadata: read
# View events triggered by an activity in an organization. (none, read)
organization_events: read
# Manage classic projects within a repository. (none, read, write, admin)
repository_projects: read
# Manage Actions organization secrets. (none, read, write)
organization_secrets: none
# Manage vulnerability alerts. (none, read, write)
vulnerability_alerts: read
# Manage projects for an organization. (none, read, write, admin)
organization_projects: read
# View and manage repository security advisories. (none, read, write)
repository_advisories: read
# View and manage secret scanning alerts. (none, read, write)
secret_scanning_alerts: read
# Manage Codespaces for an organization. (none, read, write)
organization_codespaces: read
# Create, edit, delete and list custom repository roles. (none, read, write)
organization_custom_roles: read
# Manage the lifecycle of Codespaces, including starting and stopping. (none, read, write)
codespaces_lifecycle_admin: read
# View and manage users blocked by the organization. (none, read, write)
organization_user_blocking: read
# Manage access to an organization. (none, read, write)
organization_administration: read
# Manage Actions organization variables. (none, read, write)
organization_actions_variables: none
# Manage Codespaces Secrets for an organization. (none, read, write)
organization_codespaces_secrets: none
# Manage Dependabot organization secrets. (none, read, write)
organization_dependabot_secrets: none
# Manage Codespaces settings for an organization. (none, read, write)
organization_codespaces_settings: read
# View and manage Actions self-hosted runners available to an organization. (none, read, write)
organization_self_hosted_runners: read
# View and modify announcement banners for an organization. (none, read, write)
organization_announcement_banners: read
# Manage personal access token requests from organization members. (none, read, write)
organization_personal_access_tokens: none
# View and revoke personal access tokens that have been granted access to an organization. (none, read, write)
organization_personal_access_token_requests: none