Suspicious Pull Request merge invocation

Insufficient flow control mechanisms refer to the ability of an attacker that has obtained permissions to a system within the CI/CD process (SCM, CI, Artifact repository, etc.) to single-handedly push malicious code or artifacts down the pipeline, due to a lack in mechanisms that enforce additional approval or review.

This particular detector focuses on detecting a mechanism in the CI that automatically merges pull requests that meet a predefined set of requirements, thus pushing malicious unreviewed code.

By allowing this behaviour in your organization, you can be inadvertently providing a pathway for attackers to merge their own malicious changes into the project’s codebase, bypassing manual review and detection processes.

In other more harmful situations, this may indicate that an attacker managed to infiltrate to the code repository in the past. By infiltrating the code repository with malicious code or backdoors, an attacker can easily gain unauthorized access, manipulate sensitive data, or compromise the overall security of the project.

The absence of human intervention in the merging process creates an opportunity for attackers to exploit vulnerabilities within the auto merge feature itself, manipulating it to automatically incorporate their malicious changes undetected. This highlights the importance of exercising caution and vigilance when considering auto merge, as it can inadvertently grant adversaries an avenue to compromise the project’s integrity and expose it to significant security risks.

Review the reported pipelines or scripts where the programmatic merge is performed.