Skip to content

feat: gh workflow with issues#92

Open
jordan-dr wants to merge 2 commits intomainfrom
feat/new-gh-workflow
Open

feat: gh workflow with issues#92
jordan-dr wants to merge 2 commits intomainfrom
feat/new-gh-workflow

Conversation

@jordan-dr
Copy link
Contributor

@jordan-dr jordan-dr commented Aug 4, 2025

No description provided.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Aug 4, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request contains multiple critical security vulnerabilities, including hardcoded credentials, potential command injection in GitHub Actions, information disclosure of AWS secrets in logs, and the use of third-party actions without pinned commit hashes, which could expose the repository to supply chain attacks and unauthorized access.

🔴 Code Policy: GitHub Action Policy Rails
Policy GitHub Action Policy Rails
Result Several security risks were identified in the GitHub Actions workflow: 1) The workflow logs sensitive AWS credentials via 'echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}"' in the deploy-dev job, which exposes secrets in logs. 2) The workflow uses third-party actions without pinned commit hashes: actions/checkout@v4, ruby/setup-ruby@v1, actions/cache@v3, aws-actions/configure-aws-credentials@v2, and slackapi/slack-github-action@v1, making them vulnerable to supply chain attacks. 3) The workflow uses unsanitized user input in a git checkout command: 'git checkout ${{ github.event.inputs.tag }}' which could allow command injection. 4) The workflow uses a private repository token (GH_TOKEN) which could have elevated permissions.
🟡 Code Policy: hardcoded-creds
Policy hardcoded-creds
Result Yes, this change includes hard-coded credentials in the postgres service configuration where POSTGRES_USER and POSTGRES_PASSWORD are set to 'postgres'. Additionally, there is a debug step that logs an AWS secret key using 'echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}"', which could expose sensitive credentials in logs. Guidance: refer issues to the security team
Information Disclosure of AWS Secret in Logs in .github/workflows/main.yaml
Vulnerability Information Disclosure of AWS Secret in Logs
Description The GitHub Actions workflow file '.github/workflows/main.yaml' explicitly prints the AWS_SECRET_ACCESS_KEY to the workflow logs in the 'deploy-dev' job. This exposes a critical AWS credential to anyone with access to the GitHub Actions logs for this repository, which could lead to unauthorized access to AWS resources.

rails-projects/.github/workflows/main.yaml

Lines 1 to 158 in a0b0950

name: Rails CI/CD Pipeline
on:
workflow_dispatch:
inputs:
tag:
description: "Git tag to deploy"
required: true
default: "main"
release:
types: [published]
permissions:
id-token: write
contents: read
jobs:
test:
name: Test
runs-on: ubuntu-latest
services:
postgres:
image: postgres:14
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: rails_test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
env:
RAILS_ENV: test
DATABASE_URL: postgres://postgres:postgres@localhost:5432/rails_test
steps:
- uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true
- name: Setup database
run: bin/rails db:create db:schema:load
- name: Run tests
run: bin/rails test
build:
name: Build
needs: test
runs-on: ubuntu-latest
if: success() && (github.event_name == 'push' && github.ref_name == 'main' || github.event_name == 'release' || github.event_name == 'workflow_dispatch')
steps:
- name: Checkout Private Repo with Org Token
uses: actions/checkout@v4
with:
repository: my-org/private-repo
token: ${{ secrets.GH_TOKEN }}
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true
- name: Create deployment package
run: |
echo "Build timestamp: $(date)" > build-info.txt
tar -czf rails-app.tar.gz --exclude=".git" --exclude="tmp" --exclude="log" .
- name: Cache deployment package
uses: actions/cache@v3
with:
path: rails-app.tar.gz
key: rails-app-${{ github.sha }}-${{ github.run_id }}
deploy-dev:
name: Deploy to Development
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'main')
steps:
- name: Get cached deployment package
uses: actions/cache@v3
with:
fail-on-cache-miss: true
path: rails-app.tar.gz
key: rails-app-${{ github.sha }}-${{ github.run_id }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ secrets.AWS_REGION }}
- name: Log Key (debug)
run: echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}"
- name: Checkout Code
run: |
echo "Checking out tag: ${{ github.event.inputs.tag }}"
git checkout ${{ github.event.inputs.tag }}
- name: Deploy to Elastic Beanstalk
run: |
aws s3 cp rails-app.tar.gz s3://${{ secrets.AWS_S3_BUCKET }}/rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk create-application-version \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--version-label ${{ github.sha }} \
--source-bundle S3Bucket=${{ secrets.AWS_S3_BUCKET }},S3Key=rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk update-environment \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--environment-name ${{ secrets.AWS_EB_DEV_ENV }} \
--version-label ${{ github.sha }}
deploy-prod:
name: Deploy to Production
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'release'
steps:
- name: Get cached deployment package
uses: actions/cache@v3
with:
fail-on-cache-miss: true
path: rails-app.tar.gz
key: rails-app-${{ github.sha }}-${{ github.run_id }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ secrets.AWS_REGION }}
- name: Deploy to Elastic Beanstalk
run: |
aws s3 cp rails-app.tar.gz s3://${{ secrets.AWS_S3_BUCKET }}/rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk create-application-version \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--version-label ${{ github.sha }} \
--source-bundle S3Bucket=${{ secrets.AWS_S3_BUCKET }},S3Key=rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk update-environment \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--environment-name ${{ secrets.AWS_EB_PROD_ENV }} \
--version-label ${{ github.sha }}
- name: Announce Production Deployment
uses: slackapi/slack-github-action@v1
with:
payload: |
{
"text": "Application deployed to production: ${{ github.repository }}@${{ github.sha }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Command Injection in CI/CD Pipeline in .github/workflows/main.yaml
Vulnerability Command Injection in CI/CD Pipeline
Description The GitHub Actions workflow in .github/workflows/main.yaml is vulnerable to command injection. The deploy-dev job, which can be triggered manually via workflow_dispatch, directly uses the user-provided github.event.inputs.tag input within a git checkout shell command without any sanitization or validation. This allows an attacker to inject arbitrary shell commands by crafting a malicious tag value, leading to remote code execution on the GitHub Actions runner.

rails-projects/.github/workflows/main.yaml

Lines 1 to 158 in a0b0950

name: Rails CI/CD Pipeline
on:
workflow_dispatch:
inputs:
tag:
description: "Git tag to deploy"
required: true
default: "main"
release:
types: [published]
permissions:
id-token: write
contents: read
jobs:
test:
name: Test
runs-on: ubuntu-latest
services:
postgres:
image: postgres:14
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: rails_test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
env:
RAILS_ENV: test
DATABASE_URL: postgres://postgres:postgres@localhost:5432/rails_test
steps:
- uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true
- name: Setup database
run: bin/rails db:create db:schema:load
- name: Run tests
run: bin/rails test
build:
name: Build
needs: test
runs-on: ubuntu-latest
if: success() && (github.event_name == 'push' && github.ref_name == 'main' || github.event_name == 'release' || github.event_name == 'workflow_dispatch')
steps:
- name: Checkout Private Repo with Org Token
uses: actions/checkout@v4
with:
repository: my-org/private-repo
token: ${{ secrets.GH_TOKEN }}
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true
- name: Create deployment package
run: |
echo "Build timestamp: $(date)" > build-info.txt
tar -czf rails-app.tar.gz --exclude=".git" --exclude="tmp" --exclude="log" .
- name: Cache deployment package
uses: actions/cache@v3
with:
path: rails-app.tar.gz
key: rails-app-${{ github.sha }}-${{ github.run_id }}
deploy-dev:
name: Deploy to Development
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'main')
steps:
- name: Get cached deployment package
uses: actions/cache@v3
with:
fail-on-cache-miss: true
path: rails-app.tar.gz
key: rails-app-${{ github.sha }}-${{ github.run_id }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ secrets.AWS_REGION }}
- name: Log Key (debug)
run: echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}"
- name: Checkout Code
run: |
echo "Checking out tag: ${{ github.event.inputs.tag }}"
git checkout ${{ github.event.inputs.tag }}
- name: Deploy to Elastic Beanstalk
run: |
aws s3 cp rails-app.tar.gz s3://${{ secrets.AWS_S3_BUCKET }}/rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk create-application-version \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--version-label ${{ github.sha }} \
--source-bundle S3Bucket=${{ secrets.AWS_S3_BUCKET }},S3Key=rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk update-environment \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--environment-name ${{ secrets.AWS_EB_DEV_ENV }} \
--version-label ${{ github.sha }}
deploy-prod:
name: Deploy to Production
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'release'
steps:
- name: Get cached deployment package
uses: actions/cache@v3
with:
fail-on-cache-miss: true
path: rails-app.tar.gz
key: rails-app-${{ github.sha }}-${{ github.run_id }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ secrets.AWS_REGION }}
- name: Deploy to Elastic Beanstalk
run: |
aws s3 cp rails-app.tar.gz s3://${{ secrets.AWS_S3_BUCKET }}/rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk create-application-version \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--version-label ${{ github.sha }} \
--source-bundle S3Bucket=${{ secrets.AWS_S3_BUCKET }},S3Key=rails-app-${{ github.sha }}.tar.gz
aws elasticbeanstalk update-environment \
--application-name ${{ secrets.AWS_EB_APP_NAME }} \
--environment-name ${{ secrets.AWS_EB_PROD_ENV }} \
--version-label ${{ github.sha }}
- name: Announce Production Deployment
uses: slackapi/slack-github-action@v1
with:
payload: |
{
"text": "Application deployed to production: ${{ github.repository }}@${{ github.sha }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

All finding details can be found in the DryRun Security Dashboard.

@jordan-dr jordan-dr closed this Aug 4, 2025
@jordan-dr jordan-dr reopened this Aug 4, 2025
@jordan-dr jordan-dr closed this Aug 4, 2025
@jordan-dr jordan-dr reopened this Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jordan-dr