Trivy le amedzidzedze te ake: GitHub Actions si kaka ɖe teƒe geɖe tag compromise secrets

<ŋutilã>

Trivy le amedzidzedze te ake: GitHub Actions tag nugblẽfexexe ƒe nya ɣaɣlawo kaka

Kɔmpiutadziɖoɖowo ƒe dedienɔnɔ sesẽ abe eƒe kadodo si gbɔdzɔ wu ene ko. Le ŋgɔyiyiha manyaxlẽwo gome la, kadodo ma va zu dɔwɔnu siwo tututu dzi woɖoa ŋu ɖo be woake ɖe afisiwo woate ŋu adze afɔku le ŋu. Le nudzɔdzɔwo ƒe tɔtrɔ si ɖea fu na ame me la, Trivy, si nye mɔ̃ xɔŋkɔ aɖe si wozãna tsɔ léa ŋku ɖe afɔkuwo ŋu si ŋu Aqua Security léa be na la, kpɔ eɖokui le amedzidzedze deŋgɔ aɖe ƒe titina. Nuwɔla vɔ̃ɖiwo gblẽ nu le tɔtrɔ ƒe dzesi tɔxɛ aɖe (`v0.48.0`) ŋu le eƒe GitHub Actions nudzraɖoƒe, eye wodo kɔpi si wowɔ be wòafi nya ɣaɣla veviwo tso dɔwɔwɔ ɖesiaɖe si zãe me. Nudzɔdzɔ sia nye ŋkuɖodzinya vevie be le míaƒe ŋgɔyiyi ƒe lãwo ƒe agbenɔnɔ ƒe ɖoɖo siwo do ƒome kple wo nɔewo me la, ele be woaɖo kpe kakaɖedzi dzi ɣesiaɣi, ke menye be woasusui o.

Tag Compromise Attack ƒe ŋutilã ƒe wɔwɔme

Esia menye Trivy ƒe dɔwɔwɔ ƒe se vevi dzi dada o, ke boŋ enye eƒe CI/CD automation ƒe nugbegblẽ le aɖaŋu me. Amedzidzelawo tɔ ŋku GitHub Actions ƒe nudzraɖoƒea, wowɔ `action.yml` faɛl ƒe tɔtrɔ vɔ̃ɖi aɖe na `v0.48.0` tag. Ne dɔwɔla aɖe ƒe dɔwɔwɔ ƒe ɖoɖo yɔ dzesi sia koŋ la, nuwɔna la awɔ ŋɔŋlɔdzesi si gblẽa nu le ame ŋu hafi awɔ Trivy scan si le se nu. Wotrɔ asi le ŋɔŋlɔdzesi sia ŋu be wòaɖe nya ɣaɣlawo—abe nudzraɖoƒe ƒe dzesiwo, alilikpo me dɔwɔƒe ƒe ɖaseɖigbalẽwo, kple API safuiwo—ɖe adzɔge dɔwɔƒe si dzi amedzidzela la kpɔ ŋusẽ ɖo la me. Alesi amedzidzedze sia nye ayemɔe nye alesi wòwɔa nu tɔxɛe; dɔwɔla siwo zãa `@v0.48` alo `@main` dzesi siwo le dedie wu la mekpɔ ŋusẽ ɖe wo dzi o, gake amesiwo tsɔ dzesi si tututu wogblẽ la de woƒe mɔ̃a me le manyamanya me.

Nusita Nudzɔdzɔ Sia Le ɖiɖim le DevOps Xexeame Katã

Trivy ƒe nugblẽfexeɖoɖoa ɖe dzesi le susu geɖewo ta. Gbã la, Trivy nye dedienɔnɔ ƒe dɔwɔnu vevi aɖe si ame miliɔn geɖe zãna tsɔ léa ŋku ɖe afɔku siwo le nugoewo kple kɔpiwo me ŋu. Dedienɔnɔdɔwɔnu aɖe dzi dzedze gblẽa kakaɖedzi si le gɔmeɖoanyi si hiã be woatsɔ awɔ ŋgɔyiyi dedie la me. Evelia, ehe susu yi alesi amedzidzelawo ʋuna "yi dzi," eye woɖoa taɖodzinu na dɔwɔnuwo kple nusiwo dzi woanɔ te ɖo siwo dzi wotu kɔmpiutadziɖoɖo bubuwo ɖo la dzi. Ne wotsɔ aɖi de akpa ɖeka si wozãna le afisiafi me la, woate ŋu akpɔ mɔ akpɔ dɔ kple habɔbɔ siwo le anyime ƒe habɔbɔ gã aɖe. Nudzɔdzɔ sia nye nudzɔdzɔ vevi aɖe ŋuti numekuku le nuzazãwo ƒe dedienɔnɔ me, si ɖee fia be dɔwɔnu aɖeke, aleke kee ŋkɔ le eŋu o, mate ŋu azãe abe amedzidzedze ƒe mɔ̃ ene o.

ƒe nyawo "Amedzidzedze sia ɖe gɔmesese deŋgɔ si le developer ƒe nuwɔna kple CI/CD mechanics ŋu fia. Zi geɖe la, wobua pinning to a specific version tag be enye nuwɔna nyuitɔ kekeake hena liƒo, gake nudzɔdzɔ sia ɖee fia be ateŋu ahe afɔku hã vɛ ne version tɔxɛ ma gblẽ. Nusɔsrɔ̃ae nye be dedienɔnɔ nye ɖoɖo si yia edzi ɖaa, ke menye zi ɖeka ƒe ɖoɖowɔwɔ o."

ƒe nyawo

Afɔɖeɖe Enumake Siwo Nàwɔ Be Nàde Wò GitHub Dɔwɔwɔwo Ta

Le nudzɔdzɔ sia megbe la, ele be dɔwɔlawo kple dedienɔnɔ ƒe ƒuƒoƒowo nawɔ afɔɖeɖe siwo woawɔ do ŋgɔ be woƒe GitHub Actions ƒe dɔwɔwɔwo nasesẽ. Dzidzedzekpɔkpɔ nye dedienɔnɔ ƒe futɔ. Afɔɖeɖe vevi siwo wòle be woawɔ enumake lae nye esi:

ƒe nyawo
• Zã commit SHA pinning ɖe tags teƒe: Ɣesiaɣi la, yɔ nuwɔnawo to woƒe commit hash bliboa dzi (e.g., `actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675`). Esia koe nye mɔ si dzi nàto aka ɖe edzi be yele nuwɔna la ƒe tɔtrɔ si metrɔna o zãm.
• Dzro wò dɔwɔwɔ ƒe ɖoɖo siwo li fifia me: Lé ŋku ɖe wò `.github/workflows` nyatakakadzraɖoƒea ŋu nyuie. De dzesi nuwɔna ɖesiaɖe si wotsɔ bla ɖe tags ŋu eye nàtrɔe ɖe commit SHAs ŋu, vevietɔ na dedienɔnɔ dɔwɔnu veviwo.
• Wɔ GitHub ƒe dedienɔnɔ ƒe nɔnɔmewo ŋudɔ: Na nɔnɔme me dzodzro siwo hiã la nawɔ dɔ eye nàto `workflow_permissions` ƒe ɖoɖoa me, nàɖo wo ɖe nuxexlẽ ɖeɖeko nu le gɔmedzedzea me be woaɖe nusiwo ate ŋu agblẽ le nuwɔna si ŋu wogblẽ nu le me dzi akpɔtɔ.
• Lé ŋku ɖe dɔwɔna si mebɔ o ŋu: Wɔ nuŋlɔɖi kple ŋkuléle ɖe wò CI/CD pɔmpiwo ŋu be nàde dzesi network kadodo siwo womele mɔ kpɔm na o siwo do go alo agbagbadzedze be woage ɖe eme si ŋu womeɖe mɔ ɖo o to wò nya ɣaɣlawo zazã me.

ƒe nyawo

Gɔmeɖoanyi si te ŋu nɔa te ɖe nɔnɔme sesẽwo nu tutu kple Mewayz

Togbɔ be dɔwɔnu ɖekaɖekawo ƒe dedienɔnɔ le vevie hã la, tenɔnɔ ɖe nɔnɔme sesẽwo nu vavãtɔ tsoa mɔnu blibo si wozãna le wò asitsatsa ƒe dɔwɔnawo me gbɔ. Nudzɔdzɔwo abe Trivy ƒe nugblẽfexexe ene ɖea nusiwo sesẽ kple afɔku ɣaɣla siwo le egbegbe dɔwɔnuwo ƒe kɔsɔkɔsɔwo me fiana. Nuƒolanɔƒe abe Mewayz ene kpɔa esia gbɔ to asitsatsa ƒe OS si wɔ ɖeka, si nye modular si ɖea nusiwo dzi woanɔ te ɖo ƒe kaka dzi kpɔtɔna eye wònaa dziɖuɖua nɔa teƒe ɖeka. Le esi teƒe be Mewayz nawɔ juggling subɔsubɔdɔ vovovo wuieve—siwo dometɔ ɖesiaɖe kple eƒe dedienɔnɔ ƒe kpɔɖeŋu kple asitɔtrɔ ƒe tsatsam—la, etsɔa dɔ veviwo abe dɔa dzikpɔkpɔ, CRM, kple nuŋlɔɖiwo gbɔ kpɔkpɔ ene ƒoa ƒu ɖe nɔnɔme ɖeka si le dedie me. Nuƒoƒoƒu sia ɖea amedzidzedzea ƒe anyigba dzi kpɔtɔna eye wònaa dedienɔnɔdzikpɔkpɔ nɔa bɔbɔe, si wɔnɛ be ƒuƒoƒowo te ŋu léa fɔ ɖe nɔnɔmewo tutu ŋu tsɔ wu be woaɖɔli afɔku siwo le kɔmpiutadziɖoɖo siwo me mama le me ɣesiaɣi. Le xexe si me tag ɖeka si wogblẽ ate ŋu ahe sedzidada gã aɖe vɛ me la, dedienɔnɔ si wowɔ ɖekae kple dɔwɔwɔ siwo le bɔbɔe si Mewayz naa la naa gɔmeɖoanyi si dzi wokpɔna wu eye woate ŋu adzro eme na dzidziɖedzi.

ƒe nyawo

Nyabiase Siwo Wobiana Enuenu

Trivy le amedzidzedze te ake: GitHub Actions tag nugblẽfexexe ƒe nya ɣaɣlawo kaka

Kɔmpiutadziɖoɖowo ƒe dedienɔnɔ sesẽ abe eƒe kadodo si gbɔdzɔ wu ene ko. Le ŋgɔyiyiha manyaxlẽwo gome la, kadodo ma va zu dɔwɔnu siwo tututu dzi woɖoa ŋu ɖo be woake ɖe afisiwo woate ŋu adze afɔku le ŋu. Le nudzɔdzɔwo ƒe tɔtrɔ si ɖea fu na ame me la, Trivy, si nye mɔ̃ xɔŋkɔ aɖe si wozãna tsɔ léa ŋku ɖe afɔkuwo ŋu si ŋu Aqua Security léa be na la, kpɔ eɖokui le amedzidzedze deŋgɔ aɖe ƒe titina. Nuwɔla vɔ̃ɖiwo gblẽ nu le tɔtrɔ ƒe dzesi tɔxɛ aɖe (`v0.48.0`) ŋu le eƒe GitHub Actions nudzraɖoƒe, eye wodo kɔpi si wowɔ be wòafi nya ɣaɣla veviwo tso dɔwɔwɔ ɖesiaɖe si zãe me. Nudzɔdzɔ sia nye ŋkuɖodzinya vevie be le míaƒe ŋgɔyiyi ƒe lãwo ƒe agbenɔnɔ ƒe ɖoɖo siwo do ƒome kple wo nɔewo me la, ele be woaɖo kpe kakaɖedzi dzi ɣesiaɣi, ke menye be woasusui o.

Tag Compromise Attack ƒe ŋutilã ƒe wɔwɔme

Esia menye Trivy ƒe dɔwɔwɔ ƒe se vevi dzi dada o, ke boŋ enye eƒe CI/CD automation ƒe nugbegblẽ le aɖaŋu me. Amedzidzelawo tɔ ŋku GitHub Actions ƒe nudzraɖoƒea, wowɔ `action.yml` faɛl ƒe tɔtrɔ vɔ̃ɖi aɖe na `v0.48.0` tag. Ne dɔwɔla aɖe ƒe dɔwɔwɔ ƒe ɖoɖo yɔ dzesi sia koŋ la, nuwɔna la awɔ ŋɔŋlɔdzesi si gblẽa nu le ame ŋu hafi awɔ Trivy scan si le se nu. Wotrɔ asi le ŋɔŋlɔdzesi sia ŋu be wòaɖe nya ɣaɣlawo—abe nudzraɖoƒe ƒe dzesiwo, alilikpo me dɔwɔƒe ƒe ɖaseɖigbalẽwo, kple API safuiwo—ɖe adzɔge dɔwɔƒe si dzi amedzidzela la kpɔ ŋusẽ ɖo la me. Alesi amedzidzedze sia nye ayemɔe nye alesi wòwɔa nu tɔxɛe; dɔwɔla siwo zãa `@v0.48` alo `@main` dzesi siwo le dedie wu la mekpɔ ŋusẽ ɖe wo dzi o, gake amesiwo tsɔ dzesi si tututu wogblẽ la de woƒe mɔ̃a me le manyamanya me.

Nusita Nudzɔdzɔ Sia Le ɖiɖim le DevOps Xexeame Katã

Trivy ƒe nugblẽfexeɖoɖoa ɖe dzesi le susu geɖewo ta. Gbã la, Trivy nye dedienɔnɔ ƒe dɔwɔnu vevi aɖe si ame miliɔn geɖe zãna tsɔ léa ŋku ɖe afɔku siwo le nugoewo kple kɔpiwo me ŋu. Dedienɔnɔdɔwɔnu aɖe dzi dzedze gblẽa kakaɖedzi si le gɔmeɖoanyi si hiã be woatsɔ awɔ ŋgɔyiyi dedie la me. Evelia, ehe susu yi alesi amedzidzelawo ʋuna "yi dzi," eye woɖoa taɖodzinu na dɔwɔnuwo kple nusiwo dzi woanɔ te ɖo siwo dzi wotu kɔmpiutadziɖoɖo bubuwo ɖo la dzi. Ne wotsɔ aɖi de akpa ɖeka si wozãna le afisiafi me la, woate ŋu akpɔ mɔ akpɔ dɔ kple habɔbɔ siwo le anyime ƒe habɔbɔ gã aɖe. Nudzɔdzɔ sia nye nudzɔdzɔ vevi aɖe ŋuti numekuku le nuzazãwo ƒe dedienɔnɔ me, si ɖee fia be dɔwɔnu aɖeke, aleke kee ŋkɔ le eŋu o, mate ŋu azãe abe amedzidzedze ƒe mɔ̃ ene o.

Afɔɖeɖe Enumake Siwo Nàwɔ Be Nàde Wò GitHub Dɔwɔwɔwo Ta

Le nudzɔdzɔ sia megbe la, ele be dɔwɔlawo kple dedienɔnɔ ƒe ƒuƒoƒowo nawɔ afɔɖeɖe siwo woawɔ do ŋgɔ be woƒe GitHub Actions ƒe dɔwɔwɔwo nasesẽ. Dzidzedzekpɔkpɔ nye dedienɔnɔ ƒe futɔ. Afɔɖeɖe vevi siwo wòle be woawɔ enumake lae nye esi:

Gɔmeɖoanyi si te ŋu nɔa te ɖe nɔnɔme sesẽwo nu tutu kple Mewayz

Togbɔ be dɔwɔnu ɖekaɖekawo ƒe dedienɔnɔ le vevie hã la, tenɔnɔ ɖe nɔnɔme sesẽwo nu vavãtɔ tsoa mɔnu blibo si wozãna le wò asitsatsa ƒe dɔwɔnawo me gbɔ. Nudzɔdzɔwo abe Trivy ƒe nugblẽfexexe ene ɖea nusiwo sesẽ kple afɔku ɣaɣla siwo le egbegbe dɔwɔnuwo ƒe kɔsɔkɔsɔwo me fiana. Nuƒolanɔƒe abe Mewayz ene kpɔa esia gbɔ to asitsatsa ƒe OS si wɔ ɖeka, si nye modular si ɖea nusiwo dzi woanɔ te ɖo ƒe kaka dzi kpɔtɔna eye wònaa dziɖuɖua nɔa teƒe ɖeka. Le esi teƒe be Mewayz nawɔ juggling subɔsubɔdɔ vovovo wuieve—siwo dometɔ ɖesiaɖe kple eƒe dedienɔnɔ ƒe kpɔɖeŋu kple asitɔtrɔ ƒe tsatsam—la, etsɔa dɔ veviwo abe dɔa dzikpɔkpɔ, CRM, kple nuŋlɔɖiwo gbɔ kpɔkpɔ ene ƒoa ƒu ɖe nɔnɔme ɖeka si le dedie me. Nuƒoƒoƒu sia ɖea amedzidzedzea ƒe anyigba dzi kpɔtɔna eye wònaa dedienɔnɔdzikpɔkpɔ nɔa bɔbɔe, si wɔnɛ be ƒuƒoƒowo te ŋu léa fɔ ɖe nɔnɔmewo tutu ŋu tsɔ wu be woaɖɔli afɔku siwo le kɔmpiutadziɖoɖo siwo me mama le me ɣesiaɣi. Le xexe si me tag ɖeka si wogblẽ ate ŋu ahe sedzidada gã aɖe vɛ me la, dedienɔnɔ si wowɔ ɖekae kple dɔwɔwɔ siwo le bɔbɔe si Mewayz naa la naa gɔmeɖoanyi si dzi wokpɔna wu eye woate ŋu adzro eme na dzidziɖedzi.

ƒe nyawo