Skip to content

Latest commit

 

History

History
61 lines (54 loc) · 9.25 KB

mitigations.md

File metadata and controls

61 lines (54 loc) · 9.25 KB

Mitigation Strategies Analysis for nektos/act

Mitigation Strategy: Securely Manage Secrets and Credentials - Utilize act's Secret Management Features

  • Mitigation Strategy: Securely Manage Secrets and Credentials - Utilize act's Secret Management Features
  • Description:
    1. Avoid Hardcoding Secrets in Workflows: Never embed secrets directly in workflow files (.github/workflows/*.yml) or action code.
    2. Use act's -s or --secret-file Flags: When running act, use the -s <secret_name>=<secret_value> flag to pass individual secrets directly on the command line, or use the --secret-file <path_to_secret_file> option to provide secrets from a dedicated file.
    3. Store Secrets Securely (Outside Workflow Files): Store secret values in a secure location outside of your Git repository. This could be environment variables on your development machine, a dedicated secret management tool, or encrypted files. act reads these secrets at runtime, keeping them separate from your workflow definitions.
    4. Define Secrets in Workflow Files (Name Only): In your workflow files, define the names of the secrets you intend to use (e.g., secrets.API_KEY) but do not provide the values. act will then look for these secrets when executed using the -s or --secret-file flags.
    5. Avoid Logging Secrets in Actions: Ensure that your workflows and actions are designed to avoid logging or printing secret values to console output or log files. Be mindful of how actions handle secrets context.
  • List of Threats Mitigated:
    • Secret Exposure in Version Control (High Severity): Hardcoding secrets in workflow files can lead to accidental exposure of sensitive credentials if the repository is publicly accessible or if unauthorized individuals gain access. act's secret management helps prevent this by keeping secrets out of workflow files.
    • Secret Leakage in Logs (Medium Severity): If secrets are not handled carefully, they might be inadvertently logged during workflow execution, making them accessible to anyone with access to the logs. Using act's secret features encourages practices that minimize logging secrets.
    • Unauthorized Access to Secrets (Medium Severity): Poor secret management practices can make it easier for unauthorized users or malicious actions to access sensitive credentials. act's features promote a more secure way to handle secrets during local testing.
  • Impact:
    • Secret Exposure in Version Control: High Risk Reduction
    • Secret Leakage in Logs: Medium Risk Reduction
    • Unauthorized Access to Secrets: Medium Risk Reduction
  • Currently Implemented: Developers are trained to use environment variables or separate secret files when running act locally, aligning with act's intended secret management. CI/CD pipeline uses secure secret injection mechanisms provided by the CI platform, which is conceptually similar to using --secret-file with act.
  • Missing Implementation: No automated enforcement to prevent hardcoding secrets in workflow files specifically when used with act. Reliance on developer awareness and training. We could provide example scripts or documentation that clearly demonstrates the use of -s or --secret-file with act.

Mitigation Strategy: Regularly Update act and Dependencies - Keep act Updated

  • Mitigation Strategy: Regularly Update act and Dependencies - Keep act Updated
  • Description:
    1. Monitor act Releases: Regularly check the act GitHub repository (https://github.com/nektos/act) for new releases and security announcements. Pay attention to release notes for mentions of security fixes.
    2. Subscribe to Security Mailing Lists/Announcements (If Available): If the act project provides a security mailing list or announcement channel (check the repository or documentation), subscribe to it to receive timely notifications about security vulnerabilities.
    3. Update act Regularly: When new versions of act are released, especially those containing security patches, promptly update your act installation. Follow the update instructions provided in the act documentation for your operating system and installation method (e.g., using brew upgrade act for Homebrew, or downloading a new binary).
    4. Check for Dependency Updates (Indirectly): While you don't directly manage act's dependencies, updating act itself will often include updates to its internal dependencies, indirectly benefiting from dependency security patches.
  • List of Threats Mitigated:
    • Exploitation of Known act Vulnerabilities (High Severity): Outdated versions of act may contain known security vulnerabilities that attackers can exploit to compromise the execution environment or the host system. Keeping act updated directly addresses this threat.
    • Exploitation of Dependency Vulnerabilities (Medium Severity): act relies on underlying libraries and tools. Updating act helps ensure that these dependencies are also kept reasonably up-to-date, reducing the risk of exploiting known vulnerabilities in those dependencies.
  • Impact:
    • Exploitation of Known act Vulnerabilities: High Risk Reduction
    • Exploitation of Dependency Vulnerabilities: Medium Risk Reduction
  • Currently Implemented: Our CI/CD pipeline automatically uses a relatively recent version of act (or the workflow engine). We have processes to update the CI environment periodically, which includes updating tools like act.
  • Missing Implementation: No automated mechanism to ensure developers are using the latest act version locally. Developers are responsible for manually updating their act installations. We could provide scripts or instructions to simplify act updates for developers and encourage regular updates in developer guidelines.

Mitigation Strategy: Monitor and Log act Activity - Enable Logging for act

  • Mitigation Strategy: Monitor and Log act Activity - Enable Logging for act
  • Description:
    1. Configure act Logging Level: act provides logging options to control the verbosity of output. Use the --log-level flag when running act to increase the logging level (e.g., --log-level debug or --log-level info). Higher log levels provide more detailed information about act's execution.
    2. Capture act Output: Redirect act's output to a file using standard shell redirection (e.g., act > act.log 2>&1) or use a logging tool to capture and store the output.
    3. Review Logs for Suspicious Activity: After running act, review the captured logs for:
      • Error Messages: Look for errors that might indicate issues with actions or act itself, potentially revealing security problems.
      • Unexpected Action Behavior: Examine logs to understand what actions are doing and if there's any unexpected or suspicious behavior.
      • Resource Usage (Indirectly): While act logs might not directly show resource usage, they can sometimes indicate actions that are taking an unusually long time or failing repeatedly, which could be related to resource exhaustion or other issues.
    4. Integrate with Centralized Logging (Advanced): For more comprehensive monitoring, consider integrating act's output with a centralized logging system. This might involve writing a wrapper script around act to format and send logs to a central system.
  • List of Threats Mitigated:
    • Delayed Threat Detection (Medium Severity): Without logging, it can be difficult to detect malicious activity or security incidents during local act executions. Enabling and reviewing act logs improves threat detection capabilities.
    • Limited Incident Response Capabilities (Medium Severity): Logs are crucial for incident response and troubleshooting. act logs provide valuable information for investigating issues that arise during local workflow testing.
    • Lack of Audit Trail (Low to Medium Severity): Logs provide an audit trail of act activity, which can be helpful for understanding workflow execution and identifying potential security misconfigurations or issues.
  • Impact:
    • Delayed Threat Detection: Medium Risk Reduction
    • Limited Incident Response Capabilities: Medium Risk Reduction
    • Lack of Audit Trail: Low to Medium Risk Reduction
  • Currently Implemented: Logging is enabled in our CI/CD pipeline for workflow executions (though not directly using act in production, the principle applies to workflow execution engines). Logs are sent to our centralized logging system.
  • Missing Implementation: No default logging configuration for local act executions by developers. Developers are generally not encouraged or provided with guidance on enabling and reviewing act logs locally. We could provide documentation or scripts to help developers easily enable logging when using act.