Abstract: In this talk, we will discuss the hacking of CI/CD orchestrators, with a focus on GitHub actions and what kind of things can be done from the perspective of a malicious insider. Some of the cases we will discuss are:
- Secret enumeration.
- Accessing infrastructure through runners.
- Public runners vs Private runners.
- Code injection in the pipeline and supply chain.
- GitHub commits information.
- Secret searching in the repository. The goal is to provide a broad view on the attack surface that can be derived from CI/CD orchestrators and their runners, as well as to show a few demos on how this can be done.
Bio: Mauricio Cano: Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.
