diff --git a/_posts/2023-11-02-insecure-github-actions.md b/_posts/2023-11-02-insecure-github-actions.md new file mode 100644 index 0000000..ab46d4e --- /dev/null +++ b/_posts/2023-11-02-insecure-github-actions.md @@ -0,0 +1,16 @@ +--- +layout: post +title: "Talk: Insecure GitHub Actions" +categories: learning +author: intrigus +--- + +You know GitHub Actions, these small building blocks that make your dev life easier… But they can also get you pwned in no time, if you are not careful. + +The talk covers: +* the basic structure of a GitHub Actions workflow. +* the general permission model of GitHub Actions. +* insecure templating and executing user-controlled code in privileged workflows. +* cache poisoning in workflows. + +The slides can be found [here](/talks/2023-10-26-insecure-github-actions/insecure-github-actions.pdf). The workshop was held on 2023-10-26. diff --git a/talks/2023-10-26-insecure-github-actions/insecure-github-actions.pdf b/talks/2023-10-26-insecure-github-actions/insecure-github-actions.pdf new file mode 100644 index 0000000..e03a3f3 Binary files /dev/null and b/talks/2023-10-26-insecure-github-actions/insecure-github-actions.pdf differ