Skip to main content

Critical Microsoft GitHub Flaw Highlights Dangers to CI/CD Pipelines: Tenable

DevsecOps software supply chain data, pipelines, data lineage
DevsecOps software supply chain data, pipelines, data lineage

A critical vulnerability in a popular Microsoft GitHub repository could allow a threat actor to easily exploit its CI/CD infrastructure to run arbitrary code in the repository and gain access to secrets, according to researchers with cybersecurity firm Tenable.

In an advisory issued April 21, Rémy Marot, staff research engineer at Tenable, wrote that “by exploiting this vulnerability, an attacker with an unprivileged GitHub account could exfiltrate secrets available to the workflow run and perform unauthorized operations on the target GitHub repository.”

The security flaw can be easily exploited, and illustrates the growing security risks as CI/CD pipelines play an increasingly central role in the software development field, according to Marot.

He found that the Microsoft GitHub repository was using a vulnerable GitHub workflow that allowed any GitHub user to set off remote code execution (RCE) in the GitHub runner. Through this, the bad actor could gain access to a token that let them run unauthorized actions on the repository and compromise the software supply chain.

Tenable described the repository as a “significant point of interaction for developers,” noting that it had been forked 5,000 times and has more than 7,700 stars. Because the source code for the repository was public, anyone with a registered GitHub account could easily exploit it.

‘Trivial’ Exploitation

Exploitation of the flaw was “trivial,” Marot wrote. All it took was for an attacker to open a GitHub issue – a built-in collaboration tool used by developers to document tasks, report bugs, or propose new features – which is open to any registered user, according to Tenable.

From there, the hacker could inject malicious Python code into the issue description, with the GitHub workflow automatically starting up when the issue was created. Doing so executed the attacker’s code within the GitHub runner, which runs the job in GitHub Actions workflow, essentially becoming the engine for the CI/CD pipeline.

The exploit allowed the threat actor to exfiltrate the GITHUB_TOKEN and other secrets on the repository. Depending on the permissions in the GITHUB_TOKEN, it could allow privileged operations on the repository, Marot said.

Tenable is giving the vulnerability a CVSSv4 severity score of 9.3 out of 10. Microsoft patched the vulnerable workflow via a pull request.

Rising CI/CD Threats

The vulnerability illustrates why developers need to view their CI/CD pipelines as critical pipelines and secure them accordingly, he said.

“The CI/CD infrastructure is part of an organization’s attack surface and software supply chain, requiring strict security controls to protect source code and build integrity,” Marot wrote in a FAQ accompanying the Tenable report. “Without strong safeguards, a vulnerability in a pipeline can be exploited to trigger large-scale supply chain attacks and have critical impacts on downstream systems and users.”

Security vendors for several years have been warning about the increasing focus that bad actors are putting on CI/CD infrastructure. The OWASP Foundation has listed the top 10 CI/CD security risks, ranging from insufficient flow control mechanisms and dependency chain abuse to insufficient credential hygiene and insecure system configuration.

“CI/CD environments, processes, and systems are the beating heart of any modern software organization,” the organization wrote. “They deliver code from an engineer’s workstation to production. Combined with the rise of the DevOps discipline and microservice architectures, CI/CD systems and processes have reshaped the engineering ecosystem.”

Expanding the Attack Surface

At the same time, they also have expanded the attack surface, creating new pathways for attackers.

“Adversaries of all levels of sophistication are shifting their attention to CI/CD, realizing CI/CD services provide an efficient path to reaching an organization’s crown jewels,” OWASP wrote. “The industry is witnessing a significant rise in the amount, frequency and magnitude of incidents and attack vectors focusing on abusing flaws in the CI/CD ecosystem.”

Trivy Attack a Recent Example

Cybersecurity consultancy IANS Research pointed to the recent supply chain attack that compromised Aqua Security’s Trivy open source security vulnerability scanner and associated GitHub Actions as an example of the growing focus of threat actors on software development processes, noting that it “has triggered a cascading compromise across CI/CD environments.”

“Threat actors are leveling up their supply chain attacks,” IANS researchers wrote in a blog post last month. “By combining a trusted security tool compromise with worm-like propagation and token hijacking, attackers turned trusted CI/CD workflows and package ecosystems into an easy channel for distributing malware.”

Tenable recommended that development teams implement “rigorous security measures” to protect source code, build integrity into automated workflows, and update and restrict GITHUB_TOKEN permissions. In addition, they need to regularly audit automated workflows to ensure there are no injection vulnerabilities that can be exploited by external user input.



from DevOps.com https://ift.tt/iw9U0mS
Labels:

Comments

Post a Comment

Popular posts from this blog

Claude Code’s Ultraplan Bridges the Gap Between Planning and Execution

Planning a complex code change is hard enough. Reviewing it in a terminal window shouldn’t make it harder. Anthropic is addressing that friction with a new capability called Ultraplan, currently in research preview as part of Claude Code. The feature moves the planning phase of a coding task from your local terminal to the cloud — and gives developers a richer environment to review, revise, and approve a plan before a single line of code changes. It’s a small workflow shift with real practical value, especially for teams working on large-scale migrations, service refactoring, or anything that requires careful coordination before execution begins. How it Works Ultraplan connects Claude Code’s command-line interface (CLI) to a cloud-based session running in plan mode. When a developer triggers it — either by running /ultraplan followed by a prompt, typing the word “ultraplan” anywhere in a standard prompt, or choosing to refine an existing local plan in the cloud — Claude picks u...
Post a Comment
Read more

Security as Code is Becoming the New Baseline: Continuous Compliance in DevOps 

There was a time when compliance meant a quarterly ritual. Someone from security would walk over with a spreadsheet, ask a few questions, tick a few boxes and disappear until the next audit cycle. The infrastructure team would scramble to prove that yes, encryption was enabled, and no, that S3 bucket was not public anymore. Everyone felt relieved, went back to shipping features and quietly hoped nothing would drift before the next review.   That model is dead; it just hasn’t been buried yet.   The problem is not that teams lack security awareness. Most engineering organizations today understand that vulnerabilities need catching early and that production environments need hardening. The problem is that compliance has historically lived outside the delivery pipeline — treated as a checkpoint rather than a continuous practice. In a world where teams deploy dozens of...
Post a Comment
Read more

Java 26 Arrives With AI Integration and a New Ecosystem Portfolio — What It Means for DevOps Teams

Oracle released Java 26 on March 17, 2026, and while every six-month release comes with its own set of improvements, this one carries a broader message: Java isn’t just keeping pace with the AI era — it’s actively positioning itself as the infrastructure layer where AI workloads will run. For DevOps teams managing large Java estates, that’s worth paying attention to. The Scale of What You’re Already Running Before getting into what’s new, it helps to remember what’s already in place. According to a 2025 VDC study, Java is the number one language for overall enterprise use and for cloud-native deployments. There are 73 billion active JVMs running today, with 51 billion of those in the cloud. That scale matters when you’re thinking about where AI fits in. Most of the systems where agentic AI will eventually operate — transactional platforms, backend services, data pipelines — are already running on Java. The question for DevOps teams isn’t whether to adopt Java for AI. It’s how to ...
Post a Comment
Read more