Trivy wɔ ntua ase bio: Widespread GitHub Actions tag apam ahintasɛm
Nsɛm a wɔka
Mewayz Team
Editorial Team
Trivy wɔ ntua ase bio: GitHub Nneyɛe a ɛtrɛw tag compromise secrets
Software supply chain no ahobanbɔ mu yɛ den te sɛ ne link a ɛyɛ mmerɛw sen biara no nkutoo. Wɔ nkɔso akuw a wontumi nkan wɔn fam no, saa nkitahodi no abɛyɛ nnwinnade ankasa a wɔde wɔn ho to so de hwehwɛ mmerɛwyɛ ahorow. Wɔ nsɛm a ɛhaw adwene mu no, Trivy, scanner a agye din a wɔde hwehwɛ nneɛma a ɛyɛ mmerɛw a wɔabue ano a Aqua Security hwɛ so no, huu ne ho sɛ ɛwɔ ntua a ɛyɛ nwonwa no mfinimfini. Agumadifo a wɔyɛ adwemmɔne de version tag pɔtee bi (`v0.48.0`) too ne GitHub Actions akorae no mu, de koodu a wɔayɛ sɛ wɔde bewia ahintasɛm a ɛho hia afi adwumayɛ nhyehyɛe biara a ɛde di dwuma no mu. Saa asɛm yi yɛ nkaebɔ a emu yɛ den sɛ wɔ yɛn nkɔsoɔ abɔdeɛ a nkwa wom a ɛka bom mu no, ɛsɛ sɛ wɔkɔ so di ahotosoɔ ho adanseɛ, na ɛnyɛ sɛ wɔfa no sɛ.
Anatomy a ɛwɔ Tag Compromise Attack no mu
Eyi nnyɛ Trivy core application code no a wɔabu so, na mmom na ɛyɛ anifere kwan so a wɔsɛee ne CI/CD automation. Ntuafoɔ no de wɔn ani sii GitHub Actions akoraeɛ no so, yɛɛ `action.yml` fael no fã bɔne bi maa `v0.48.0` tag no. Sɛ developer bi adwumayɛ kwan no twe adwene si saa tag pɔtee yi so a, adeyɛ no bɛyɛ script a epira ansa na ayɛ Trivy scan a ɛfata no. Wɔyɛɛ saa script yi sɛnea ɛbɛyɛ a ɛbɛyi ahintasɛm—te sɛ repository tokens, cloud provider credentials, ne API keys—akɔ akyirikyiri server a ɔtowhyɛfo no di so. Sɛnea ntua yi yɛ anifere kwan so no gyina sɛnea ɛyɛ pɔtee no so; developers a wɔde `@v0.48` anaa `@main` tags a ahobammɔ wom di dwuma no annya nkɛntɛnso, nanso wɔn a wɔde pinn tag a wɔasɛe no pɛpɛɛpɛ no de mmerɛwyɛ a ɛho hia baa wɔn pipeline mu a na wonnim.
Nea enti a Saa Asɛm yi Gye Din Wɔ DevOps Wiase no Nyinaa
Trivy apam no yɛ nea ɛho hia esiane nneɛma pii nti. Nea edi kan no, Trivy yɛ ahobammɔ adwinnade titiriw a ɔpepem pii de di dwuma de hwehwɛ mmerɛwyɛ ahorow a ɛwɔ nsukorade ne mmara mu. Ntua a wɔde ba ahobammɔ adwinnade bi so no sɛe ahotoso titiriw a ɛho hia na ama wɔanya nkɔso a ahobammɔ wom no. Nea ɛto so abien no, esi su a ɛrenya nkɔanim a ɛne sɛ ntuafo tu "kɔ soro," de wɔn ani si nnwinnade ne nneɛma a wɔde wɔn ho to so a wɔde softwea afoforo asi so no so dua. Ɛdenam awuduru a wɔde bɛhyɛ ade biako a wɔde di dwuma kɛse mu so no, wobetumi anya kwan akɔ nnwuma ne ahyehyɛde ahorow a ɛwɔ nsu ase no mu nkitahodi kɛse bi mu. Saa asɛm yi yɛ asɛm a ɛho hia a wɔayɛ ho nhwehwɛmu wɔ nneɛma a wɔde ma no ahobammɔ mu, a ɛkyerɛ sɛ adwinnade biara, ɛmfa ho sɛnea agye din no, wontumi mfa nni dwuma sɛ ntua a ɛde ba.
a wɔde ahyɛ mu "Saa ntua yi kyerɛ nteaseɛ a ɛyɛ nwonwa wɔ developer suban ne CI/CD mfiridwuma ho. Wɔtaa bu pinning to a specific version tag sɛ adeyɛ a ɛyɛ papa ma stability, nanso saa asɛm yi kyerɛ sɛ ɛbɛtumi nso de asiane aba sɛ saa version pɔtee no yɛ basaa a. Asuadeɛ no ne sɛ ahobanbɔ yɛ adeyɛ a ɛkɔ so, ɛnyɛ pɛnkoro nhyehyɛeɛ."na ɛkyerɛ sɛ woayɛ
Ntɛm ara a wobɛfa so abɔ wo GitHub Nneyɛe ho ban
Wɔ saa asɛm yi akyi no, ɛsɛ sɛ developers ne security teams yɛ preactive measures de den wɔn GitHub Actions adwumayɛ nhyehyɛe. Akomatɔyam yɛ ahobammɔ tamfo. Anamɔn a ɛho hia a ɛsɛ sɛ wode di dwuma ntɛm ara ni:
- Fa commit SHA pinning di dwuma sen sɛ wode tags bedi dwuma: Bere nyinaa fa wɔn commit hash a edi mũ no kyerɛ nneyɛe (e.g., `actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675`). Eyi nkutoo ne ɔkwan a wobɛfa so ahwɛ ahu sɛ wode adeyɛ no fã a ɛnsakra redi dwuma.
- Hwɛ wo mprempren adwumayɛ nhyehyɛe no mu: Hwɛ wo `.github/workflows` kyerɛwtohɔ no mu yiye. Kyerɛ nneyɛe biara a wɔde ahyɛ tag ahorow so na sesa no kɔ commit SHAs so, titiriw ma ahobammɔ nnwinnade a ɛho hia.
- Fa GitHub ahobanbɔ nneɛma di dwuma: Ma tebea nhwehwɛmu a ɛho hia nyɛ adwuma na hwɛ `workflow_permissions` nhyehyɛe no mu, hyehyɛ no sɛ akenkan nkutoo default so na ama ɔsɛe a ebetumi afi adeyɛ a wɔasɛe mu aba no so atew.
- Hwɛ dwumadi a ɛyɛ soronko so: Fa logging ne monitoring di dwuma ma wo CI/CD pipelines no na ama woahu outbound network connections a wonhwɛ kwan anaasɛ wo ahintasɛm a wobɔ mmɔden sɛ wobɛkɔ mu a wɔmma ho kwan.
Fahyɛdeɛ a ɛtumi gyina ano a yɛbɛkyekyere ne Mewayz
Ɛwom sɛ ankorankoro nnwinnadeɛ a wobɛbɔ ho ban no ho hia no, nokware ahoɔden a wobɛtumi agyina ano no firi ɔkwan a ɛfa biribiara ho a wobɛfa so ayɛ w’adwuma. Nsɛm a esisi te sɛ Trivy apam no da nsɛnnennen ne asiane ahorow a ahintaw a ɛwɔ nnɛyi nnwinnade nhyehyɛe mu adi. Platform te sɛ Mewayz di eyi ho dwuma denam biakoyɛ, modular adwumayɛ OS a ɛtew dependency sprawl so na ɛde control si mfinimfini ma. Sɛ́ anka Mewayz bɛbɔ nnwuma ahorow dumien a ɛsono emu biara —a emu biara wɔ n’ankasa ahobammɔ nhyehyɛe ne update cycle —de nnwuma atitiriw te sɛ adwuma no sohwɛ, CRM, ne nkrataa ho dwumadie bom yɛ beaeɛ baako a ahobanbɔ wɔ mu. Saa nkabom yi ma ntua no ani so tew na ɛma ahobammɔ nniso yɛ mmerɛw, na ɛma akuw ahorow no tumi de wɔn adwene si nneɛma a wɔbɛkyekye so sen sɛ wɔbɛsiesie mmerɛwyɛ ahorow wɔ softwea a wɔakyekyɛ mu bere nyinaa. Wɔ wiase a tag biako a wɔagyae mu betumi ama wɔabu mmara so kɛse mu no, ahobammɔ a wɔaka abom ne adwumayɛ a ɛyɛ mmerɛw a Mewayz de ma no ma wonya fapem a wɔahyɛ so na wotumi bu ho akontaa kɛse ma nkɔso.
💡 DID YOU KNOW?
Mewayz replaces 8+ business tools in one platform
CRM · Invoicing · HR · Projects · Booking · eCommerce · POS · Analytics. Free forever plan available.
Start Free →