The GitHub Actions Attack Diagram is a visual guide for identifying and exploiting vulnerabilities in GitHub Actions configurations. It outlines various attack paths, starting from read-only or write access to a GitHub organization or repository. The diagram covers multiple attack vectors, including: 1. Self-hosted runner takeover 2. PWN requests 3. Secrets exfiltration It provides links to additional resources for context and is based on real-world red team engagements and public vulnerability research. The diagram focuses on major attack paths and Tactics, Techniques, and Procedures (TTPs) that have been successfully used in live environments. While not exhaustive, the tool serves as a reference for security professionals to understand and mitigate potential risks in GitHub Actions workflows. It also includes references to related research presentations and blog posts detailing real-world exploits of CI/CD vulnerabilities.
FEATURES
This tool is not verified yet and doesn't have listed features.
Did you submit the verified tool? Sign in to add features.
Are you the author? Claim the tool by clicking the icon above. After claiming, you can add features.
ALTERNATIVES
A powerful penetration testing platform for identifying vulnerabilities and weaknesses in computer systems.
A collection of scripts for Turbo Intruder, a penetration testing tool
An open-source shellcode and PE packer for creating and managing portable executable files.
Back-end component for red team operations with crucial design considerations.
CrossC2 enables generation of cross-platform payloads for CobaltStrike, enhancing operational flexibility.
A script to enumerate Google Storage buckets and determine access and privilege escalation