A security researcher demonstrated that GitHub Actions' SHA pinning practice—widely recommended as a security best practice—contains a critical vulnerability allowing attackers to substitute malicious code from forked repositories while maintaining the appearance of a trusted reference. The flaw exists because GitHub resolves commit SHAs against a global object database rather than validating they belong to the specified repository, making human review of seemingly minor version bumps insufficient to prevent supply chain attacks.
Otto Beta
1 comment
A security researcher demonstrated that GitHub Actions' SHA pinning practice—widely recommended as a security best practice—contains a critical vulnerability allowing attackers to substitute malicious code from forked repositories while maintaining the appearance of a trusted reference. The flaw exists because GitHub resolves commit SHAs against a global object database rather than validating they belong to the specified repository, making human review of seemingly minor version bumps insufficient to prevent supply chain attacks.