Skip to content

Latest commit

 

History

History
53 lines (44 loc) · 4.17 KB

threat-modeling.md

File metadata and controls

53 lines (44 loc) · 4.17 KB

Threat Model Analysis for nektos/act

Threat: Threat: Unvetted Third-Party Action Execution

  • Description: An attacker crafts a malicious GitHub Action and publishes it. A developer includes this action in their workflow. When act runs the workflow, it downloads and executes the malicious action within a Docker container. The attacker's code could attempt to escape the container, steal secrets, or modify the host system. This is direct because act is the component downloading and running the untrusted code.
    • Impact: Host system compromise, data exfiltration, lateral movement, potential CI/CD pipeline compromise.
    • act Component Affected: act's action runner (downloading/executing actions), Docker container management.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Pin Actions to Specific Commits (e.g., uses: owner/repo@sha256hash).
      • Vendor Actions (copy source code into your repository).
      • Thoroughly Review Action Source Code.
      • Use a Private Actions Registry.
      • Limit Permissions (rootless Docker, least privilege).

Threat: Threat: Secret Exposure via Environment Variables or Logs (within act's context)

  • Description: A developer uses act to run a workflow requiring secrets. The workflow, as executed by act, is misconfigured and prints the secret or exposes it in environment variables accessible within the container. An attacker with access to the act execution environment (e.g., compromised host, access to act's output) retrieves the secret. This is direct because act is the execution environment where the exposure occurs.
    • Impact: Compromise of credentials, unauthorized access, data breaches.
    • act Component Affected: act's environment variable handling, workflow execution, logging (if act logs are insecure).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Use act's Secret Management (-s or --secret-file).
      • Never Print Secrets in workflows.
      • Integrate with a Secrets Manager.
      • Secure Workflow Logs (if generated by act).
      • Mask Secrets in Logs (if unavoidable).

Threat: Threat: Host Filesystem Exposure via Bind Mounts (initiated by act)

  • Description: A developer uses act with --bind or a workflow with a volume mount that exposes sensitive host filesystem parts to the Docker container as configured through act. A malicious action or compromised container reads/modifies files on the host. This is direct because act is responsible for setting up the bind mount.
    • Impact: Data leakage, file system corruption, privilege escalation.
    • act Component Affected: act's Docker container management (bind mount/volume handling).
    • Risk Severity: High
    • Mitigation Strategies:
      • Minimize/Avoid --bind.
      • Restrict Mount Points to only necessary files/directories.
      • Use Read-Only Mounts (:ro).
      • Run act as Non-Root.
      • Use Rootless Docker.

Threat: Threat: Docker Image Pull Hijacking (during act execution)

  • Description: A workflow specifies a Docker image. An attacker compromises the registry or uses a MITM attack to redirect the image pull to a malicious image. act, during its execution, pulls and runs the attacker's image. This is direct because act is performing the image pull.
    • Impact: Arbitrary code execution, host compromise, data exfiltration.
    • act Component Affected: act's Docker image pulling mechanism.
    • Risk Severity: High
    • Mitigation Strategies:
      • Use Specific Image Digests (not tags).
      • Use a Private Registry.
      • Enable Docker Content Trust.
      • Network Segmentation (isolate act's network).