October and November 2024 at StepSecurity

The last two months have been packed with exciting new milestones, real-life success stories, and updates! Dive into our newsletter to explore more.??

Industry News

Supply Chain Attack on Chromium-BiDi and Puppeteer via GitHub Cache Poisoning

A recent bug bounty report revealed a supply chain attack on Google Chrome's Chromium-BiDi and Puppeteer projects. The attack leveraged GitHub Cache Poisoning, a method where malicious actors manipulate build caches to introduce unauthorized code into workflows.

At StepSecurity, we’ve taken steps to address similar risks (like ArtiPACKED). One of our platform’s latest features enables proactively scans for leaked secrets in GitHub Action workflow artifacts. This enables organizations to detect and block potential supply chain attacks like GitHub Cache Poisoning before they can compromise CI/CD pipelines.

Harden-Runner Featured in Book GitHub Actions in Action

We’re thrilled to share that StepSecurity Harden-Runner is featured in the newly published book GitHub Actions in Action by Michael Kaufmann, Rob Bos, and Marcel de Vries from Xebia. This comprehensive book explores everything from setting up GitHub Actions to ensuring workflows are secure and efficient, making it an invaluable resource for teams working with GitHub Actions.

Read more about the feature and the book in our latest blog post.

The Ultimate Step-by-Step Guide for Jenkins to GitHub Actions Migration

With many teams looking to migrate from Jenkins to GitHub Actions, our latest blog provides a detailed, step-by-step guide to make the transition smooth and efficient. This guide covers everything from handling complex multi-branch pipelines to securely managing secrets, helping you get the most out of GitHub Actions.

Key topics include:

• Key differences between Jenkins and GitHub Actions
• Managing multi-branch pipelines with ease
• Migrating custom plugins and scripts
• Best practices for secure secret management
• Post-migration tips for optimizing CI/CD performance

Whether you're just starting to consider the move or are ready to dive in, this guide has all the insights you need. Read the full guide here.

StepSecurity Harden-Runner Now Secures Over 4,500 Open Source Repositories

Harden-Runner has reached an exciting new milestone—now securing over 4,500 open-source repositories! It’s incredibly rewarding to see Harden-Runner gaining widespread adoption among developers and organizations alike. As more teams prioritize CI/CD security, Harden-Runner is becoming a go-to tool for detecting and blocking unauthorized network and runtime activities. This milestone reflects the growing need for a secure CI/CD environment, and we’re grateful to our community for making this possible.

Learn more about this milestone here.

Harden-Runner Detects and Stops Supply Chain Attack on Azure Karpenter Provider

In August, StepSecurity Harden-Runner detected a supply chain attack on Microsoft’s Azure Karpenter Provider in real time. An independent security researcher exploited a vulnerability in the repository, creating unauthorized outbound network calls that were instantly flagged by Harden-Runner.

Harden-Runner’s baseline monitoring detected the anomaly and alerted the team, enabling Microsoft to address the issue promptly. Following the incident, the repository implemented Harden-Runner in block mode, further raising the security bar for their CI/CD pipelines.

This marks the second CI/CD supply chain attack detected by Harden-Runner this year, showcasing its critical role in safeguarding workflows. Read the full case study to learn more.

Harden-Runner Detects Systemic Anomalous Traffic to api.ipify.org

Earlier this month, Harden-Runner flagged unusual outbound traffic to the domain api.ipify.org across several customers’ GitHub-hosted runners. Upon investigation, we discovered that the process provjobd, an internal tool used temporarily by GitHub for diagnostics, was responsible for the calls. While GitHub confirmed the calls were benign, this incident highlights the importance of real-time monitoring and anomaly detection in CI/CD pipelines.

Harden-Runner’s ability to establish baselines, detect anomalies, provide process-level visibility ensured that this unexpected activity was caught and investigated immediately.

Check out the blog for a detailed analysis.

Project Spotlight: Meteor

This month we’re putting the spotlight on Meteor’s open source project which has leveraged the StepSecurity platform to automate GitHub Actions security best practices. Meteor.js is an open source platform for building web, mobile, and desktop applications. Some of the security practices they’ve automated with us are action pinning, setting minimum token permissions for GITHUB_TOKEN secret and integrating Dependabot.

By implementing these practices, the Meteor team is taking proactive steps to secure their CI/CD workflows, reducing risk and enhancing the integrity of their software development process. We’re excited to see open-source projects like Meteor prioritize CI/CD security, and we’re proud to support their efforts in building a safer development pipeline.

See the pull request here.

Thanks for reading our newsletter. Stay tuned for more updates, features, and insights from the StepSecurity team.