With the continual move towards SaaS applications, zero-trust networks, cloud deployments, and infrastructure-as-code, attackers are increasingly targeting various points on an organization’s technological supply chain. For many organizations, the security of CI/CD infrastructure has long been an afterthought, losing out to agility and ease of use. In particular, the broad and unmanaged use of self-hosted runners for GitHub and GitLab can put an organization at serious risk for lateral movement and credentials exposure in cloud and on-premises environments. In numerous Red Team engagements this year, we’ve leveraged self-hosted runners to establish footholds, obtain access to sensitive credentials, and compromise deployment infrastructure that directly led to production systems.
To help identify and prevent these misconfigurations, we’ve developed an open-source tool that can automatically scan repositories and organizations for self-hosted runners and insecure workflows an attacker could leverage for supply-chain attacks. While the bulk of the attack path requires manual enumeration, this tool helps to quickly identify cases where exploitation is possible.