Use Canary Credentials to detect supply chain compromise #7195
dancho-atanasov-tracebit
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I saw you're diligent and have put efforts hardening your GitHub Actions workflows and you managed to avoid the Trivy incident (#6980) but I wanted to share what we're working on that might help in the future.
I work at Tracebit and we've shipped a free forever Community GitHub Action targeting this type of supply chain attacks. It issues AWS and SSH canary credentials (honeytokens) in your workflows and any attempted use would alert you and pinpoint exactly which workflow run has been compromised. Our action's code is open source and we will keep it that way.
We wrote up a PoC reproducing TeamPCP's attack chain (Trivy, KICS, LiteLLM, Telnyx; GHSA-69fq-xp46-6x23) here and this is Wiz's article that encourages the use of honeytokens when preventions fail in package security.
You can register for free at https://community.tracebit.com/ and install the Tracebit GitHub App which helps monitor your workflow coverage and install our GitHub Action. After installation, you can click deploy on a repository and follow the steps to open a PR that integrates our action to all of the workflows.
I'm also more than happy to raise a PR and implement it myself. No stress if it doesn't fit, thought it would be useful to share with the wider community.
Thanks, Dancho
Beta Was this translation helpful? Give feedback.
All reactions