OALib Journal期刊
ISSN: 2333-9721
费用：99美元

投递稿件

查看量	下载量

相关文章
更多...

Journal of Software Engineering and Applications 2024

Sher: A Secure Broker for DevSecOps and CI/CD Workflows

DOI: 10.4236/jsea.2024.175018, PP. 321-339

Pranau Kumar, Vijay K. Madisetti

Keywords: CI/CD Pipelines, GitHub, GitOps, DevSecOps, Isolation, Security, SAST

Full-Text Cite this paper Add to My Lib

Abstract:

GitHub Actions, a popular CI/CD platform, introduces significant security challenges due to its integration with GitHub’s open ecosystem and its use of flexible workflow configurations. This paper presents Sher, a Python-based tool that enhances the security of GitHub Actions by automating the detection and remediation of security issues in workflows. Self-Hosted Ephemeral Runner, or Sher, acts as a broker between GitHub’s APIs and a customizable, isolated environment, analyzing workflows through a static rules engine and automatically fixing identified issues. By providing a secure, ephemeral runner environment and a dynamic analysis tool, Sher addresses common misconfigurations and vulnerabilities, contributing to the resilience and integrity of DevSecOps practices within software development pipelines.

References

[1]	Oracle (2024) What is DevOps? https://www.oracle.com/devops/what-is-devops/
[2]	Wikipedia (2024) GitHub. https://en.wikipedia.org/w/index.php?title=GitHub&oldid=1196345392
[3]	GitHub Resources (2024) DevSecOps Explained. https://resources.github.com/devops/fundamentals/devsecops/
[4]	Jenkins (2024) https://www.jenkins.io/
[5]	Travis CI (2024) Test and Deploy with Confidence. https://www.travis-ci.com/
[6]	Circle CI (2024) Build Anything Fast. The CI/CD Platform for the AI Future. https://circleci.com/
[7]	GitLab (2024) GitLab CI-Documentation. https://docs.gitlab.com/ee/ci/
[8]	GitHub (2024) What is Github Actions? https://web.archive.org/web/20211203130324/ https://resources.github.com/downloads/What-is-GitHub.Actions_.Benefits-and-examples.pdf
[9]	Stawinski IV, J. (2024) Fixing Typos and Breaching Microsoft’s Perimeter. https://johnstawinski.com/2024/04/15/fixing-typos-and-breaching-microsofts-perimeter/
[10]	GitHub (2024) GitHub Marketplace-GitHub Actions. https://github.com/marketplace?category=&query=updated:>2023-07-21 sort:popularity-desc&type=actions&verification
[11]	GitHub (2024) Understanding GitHub Actions. https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions
[12]	Epling, J. (2024) Powering Community-Led Innovation with GitHub Actions. https://github.blog/2019-11-14-powering-community-led-innovation-with-github-actions/
[13]	Smart, I. and Gazdag, V. (2024) RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise. https://www.blackhat.com/us-22/briefings/schedule/#rce-as-a-service-lessons-learned-from-5-years-of-real-world-cicd-pipeline-compromise-27541
[14]	Stawinski IV, J. (2024) Playing with Fire—How We Executed a Critical Supply Chain Attack on Pytorch. https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/
[15]	Khan, A. (2024) One Supply Chain Attack to Rule Them All—Poisoning GitHub’s Runner Images. https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/
[16]	GitHub (2024) Events that Trigger Workflows. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
[17]	Chandramouli, R., Kautz, F. and Torres-Arias, S. (2024) Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204D.pdf
[18]	Pan, Z., et al. (2023) Ambush from All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines. IEEE Transactions on Dependable and Secure Computing, 21, 403-418. https://ieeexplore.ieee.org/abstract/document/10061526
[19]	Koishybayev, I., Nahapetyan, A., Zachariah, R., Muralee, S., Reaves B., Kapravelos A. and Machiry, A. (2022) Characterizing the Security of Github CI Workflows. Proceedings of the 31st USENIX Symposium, Boston, 10-12 August 2022, 2747-2763.
[20]	Dakic, V., Redzepagic, J. and Basic, M. (2024) CI/CD Toolset Security. Proceedings of the 33rd DAAAM International Symposium on Intelligent Manufacturing and Automation, Vienna, 27-28 October 2022, 161-164. https://www.daaam.info/Downloads/Pdfs/proceedings/proceedings_2022/working_papers/dpn34029_a_2_Dakic.pdf
[21]	Praetorian Inc. (2024) Gato (GitHub Attack Toolkit). https://github.com/praetorian-inc/gato
[22]	Ubicloud (2024) Open, Free, and Portable Cloud. Elastic Compute, Block Storage (Non Replicated), Virtual Networking, Managed Postgres, and IAM Services in Public Beta. https://github.com/ubicloud/ubicloud
[23]	StepSecurity (2024) Secure Your GitHub Actions with StepSecurity Platform. https://www.stepsecurity.io/
[24]	Kumar, P. (2024) Sher. https://github.com/pranau97/sher?tab=readme-ov-file#tiger-sher
[25]	GitHub (2024) About GitHub Marketplace for Apps. https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/about-github-marketplace-for-apps
[26]	Ramírez, S. (2024) FastAPI. https://fastapi.tiangolo.com/
[27]	HashiCorp (2024) Vagrant by HashiCorp. https://www.vagrantup.com/
[28]	Github (2024) About Billing for GitHub Actions. https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions
[29]	Sharma, A. (2024) GitHub Actions Being Actively Abused to Mine Cryptocurrency on GitHub Servers. https://www.bleepingcomputer.com/news/security/github-actions-being-actively-abused-to-mine-cryptocurrency-on-github-servers/

Full-Text

comments powered by Disqus

Contact Us

service@oalib.com

QQ:3279437679

WhatsApp +8615387084133

WeChat 1538708413