Ƙarƙashin kai hari sake: GitHub Actions mai yaɗuwa suna lalata sirri | Mewayz Blog Skip to main content
Hacker News

Ƙarƙashin kai hari sake: GitHub Actions mai yaɗuwa suna lalata sirri

Sharhi

11 min read Via socket.dev

Mewayz Team

Editorial Team

Hacker News

Trivy a ƙarƙashin hari kuma: Faɗin GitHub Actions alamar sasantawa sirri

Tsaron sarkar samar da software yana da ƙarfi kamar mahaɗin mafi rauni. Ga ƙungiyoyin ci gaba marasa ƙima, wannan hanyar haɗin gwiwa ta zama ainihin kayan aikin da suke dogara da su don nemo lahani. Dangane da juyewar al'amura, Trivy, sanannen na'urar daukar hotan takardu ta rashin lafiya ta hanyar Aqua Security, ta sami kanta a tsakiyar wani babban hari. Masu aikata mugunta sun lalata takamaiman sigar tambarin (`v0.48.0`) a cikin ma'ajin GitHub Actions, shigar da lambar da aka ƙera don satar sirrin sirri daga duk wani aikin da ya yi amfani da shi. Wannan lamarin babban abin tunasarwa ne cewa a cikin tsarin haɗin gwiwarmu na ci gaba, dole ne a ci gaba da tabbatar da amana, ba zato ba.

Anatomy na Tag Compromise Attack

Wannan ba karya ba ce ta ainihin lambar aikace-aikacen Trivy ba, amma wayo ta hanyar CI/CD ta sarrafa kansa. Maharan sun yi niyya ga ma'ajiyar Ayyukan GitHub, suna ƙirƙirar sigar ɓoyayyen fayil ɗin 'action.yml' don alamar `v0.48.0`. Lokacin da aikin mai haɓakawa ya yi nuni da wannan takamammen alamar, aikin zai aiwatar da rubutun cutarwa kafin gudanar da binciken halal ɗin Trivy. An ƙirƙira wannan rubutun don fitar da sirri-kamar alamun ma'ajiya, takaddun shaida na mai ba da girgije, da maɓallan API-zuwa uwar garken nesa wanda maharin ke sarrafa shi. Sihiri na wannan harin ya ta’allaka ne da kebantattun sa; Masu haɓakawa da ke amfani da alamar `@v0.48` ko `@main` masu aminci ba su shafa ba, amma waɗanda suka lika madaidaicin alamar ba da saninsu ba sun gabatar da wata babbar lahani a cikin bututun su.

Me yasa Wannan Lamarin Ke Haɗuwa A Ko'ina cikin Duniyar DevOps

Ƙididdigar Trivy yana da mahimmanci don dalilai da yawa. Na farko, Trivy kayan aikin tsaro ne na tushe wanda miliyoyin ke amfani da shi don bincika rashin lahani a cikin kwantena da lamba. Harin kayan aikin tsaro yana lalata tushen amincin da ake buƙata don ingantaccen ci gaba. Na biyu, yana ba da haske game da haɓakar haɓakar masu kai hare-hare suna motsawa "zuwa sama," suna niyya ga kayan aiki da abubuwan dogaro waɗanda aka gina sauran software akai. Ta hanyar guba wani ɓangaren da ake amfani da shi sosai, za su iya yuwuwar samun damar yin amfani da ɗimbin hanyar sadarwa na ayyukan ƙasa da ƙungiyoyi. Wannan lamarin ya zama wani muhimmin bincike na shari'a a cikin tsaron sarkar samar da kayayyaki, yana nuna cewa babu wani kayan aiki, ko ta yaya mutunci, da ke da kariya daga amfani da shi azaman harin hari.

"Wannan harin yana nuna kyakkyawar fahimta game da halayen masu haɓakawa da kuma injiniyoyi na CI / CD. Yin la'akari da takamaiman alamar alama sau da yawa ana la'akari da shi a matsayin mafi kyawun aiki don kwanciyar hankali, amma wannan lamarin ya nuna zai iya haifar da haɗari idan wannan takamaiman sigar ta lalace. Darasin shine cewa tsaro shine ci gaba da tsari, ba saitin lokaci ɗaya ba. "

Takaitattun Matakai don Kiyaye Ayyukan GitHub ɗinku

Bayan wannan lamarin, masu haɓakawa da ƙungiyoyin tsaro dole ne su ɗauki matakan da suka dace don ƙarfafa ayyukan GitHub Actions ɗin su. Rashin gamsuwa makiyin tsaro ne. Anan akwai mahimman matakai don aiwatarwa nan take:

  • Yi amfani da SHA pinning maimakon tags: Koyaushe yin la'akari da ayyuka ta cikakken aiwatar da zanta (misali, `actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675`). Wannan ita ce hanya ɗaya tilo don tabbatar da cewa kuna amfani da sigar aikin da ba za a iya canzawa ba.
  • Adina ayyukan ku na yanzu:Bincika littafin ku na ''.github/workflows'. Gano duk wani aiki da aka liƙa zuwa tags kuma canza su zuwa aikata SHAs, musamman don mahimman kayan aikin tsaro.
  • Yi amfani da fasalulluka na tsaro na GitHub: Ba da damar bincika matsayin da ake buƙata kuma a sake duba saitin '' gudana_izini', saita su zuwa karantawa-kawai ta tsohuwa don rage yuwuwar lalacewa daga matakin da aka daidaita.
  • Duba ayyukan da ba a saba gani ba: Aiwatar da shiga da sa ido kan bututun CI/CD don gano hanyoyin sadarwar da ba zato ba tsammani ko yunƙurin shiga mara izini ta amfani da sirrin ku.

Gina Gidauniyar Juriya tare da Mewayz

Duk da yake tabbatar da kayan aikin mutum ɗaya yana da mahimmanci, juriyar gaske ta fito ne daga cikakkiyar dabarar ayyukan kasuwancin ku. Abubuwan da suka faru kamar sulhuntawa na Trivy suna bayyana ɓoyayyun sarƙaƙƙiya da haɗarin da ke tattare cikin sarƙoƙin kayan aiki na zamani. Wani dandali kamar Mewayz yana magance wannan ta hanyar samar da haɗe-haɗe, OS na kasuwanci na yau da kullun wanda ke rage ƙwaƙƙwaran dogaro da daidaita sarrafawa. Maimakon jujjuya ayyuka iri-iri iri-iri-kowanne yana da nasa tsarin tsaro da sake zagayowar sabuntawa-Mewayz yana haɗa mahimman ayyuka kamar sarrafa ayyukan, CRM, da sarrafa takardu cikin wuri guda, amintaccen yanayi. Wannan haɓakawa yana rage girman kai harin kuma yana sauƙaƙe tsarin tsaro, yana bawa ƙungiyoyi damar mai da hankali kan abubuwan gini maimakon ci gaba da yin lahani a cikin rarrabuwar kawuna. A cikin duniyar da alamar tambari guda ɗaya na iya haifar da babban ɓarna, haɗaɗɗen tsaro da ingantaccen ayyukan da Mewayz ke bayarwa yana ba da ingantaccen tushe mai sarrafawa da kuma iya dubawa don haɓaka.

💡 DID YOU KNOW?

Mewayz replaces 8+ business tools in one platform

CRM · Invoicing · HR · Projects · Booking · eCommerce · POS · Analytics. Free forever plan available.

Start Free →

Tambayoyin da ake yawan yi

Trivy a ƙarƙashin hari kuma: Faɗin GitHub Actions alamar sasantawa sirri

Tsaron sarkar samar da software yana da ƙarfi kamar mahaɗin mafi rauni. Ga ƙungiyoyin ci gaba marasa ƙima, wannan hanyar haɗin gwiwa ta zama ainihin kayan aikin da suke dogara da su don nemo lahani. Dangane da juyewar al'amura, Trivy, sanannen na'urar daukar hotan takardu ta rashin lafiya ta hanyar Aqua Security, ta sami kanta a tsakiyar wani babban hari. Masu aikata mugunta sun lalata takamaiman sigar tambarin (`v0.48.0`) a cikin ma'ajin GitHub Actions, shigar da lambar da aka ƙera don satar sirrin sirri daga duk wani aikin da ya yi amfani da shi. Wannan lamarin babban abin tunasarwa ne cewa a cikin tsarin haɗin gwiwarmu na ci gaba, dole ne a ci gaba da tabbatar da amana, ba zato ba.

Anatomy na Tag Compromise Attack

Wannan ba karya ba ce ta ainihin lambar aikace-aikacen Trivy ba, amma wayo ta hanyar CI/CD ta sarrafa kansa. Maharan sun yi niyya ga ma'ajiyar Ayyukan GitHub, suna ƙirƙirar sigar ɓoyayyen fayil ɗin 'action.yml' don alamar `v0.48.0`. Lokacin da aikin mai haɓakawa ya yi nuni da wannan takamammen alamar, aikin zai aiwatar da rubutun cutarwa kafin gudanar da binciken halal ɗin Trivy. An ƙirƙira wannan rubutun don fitar da sirri-kamar alamun ma'ajiya, takaddun shaida na mai ba da girgije, da maɓallan API-zuwa uwar garken nesa wanda maharin ke sarrafa shi. Sihiri na wannan harin ya ta’allaka ne da kebantattun sa; Masu haɓakawa da ke amfani da alamar `@v0.48` ko `@main` masu aminci ba su shafa ba, amma waɗanda suka lika madaidaicin alamar ba da saninsu ba sun gabatar da wata babbar lahani a cikin bututun su.

Me yasa Wannan Lamarin Ke Haɗuwa A Duk Duniyar DevOps

Ƙididdigar Trivy yana da mahimmanci don dalilai da yawa. Na farko, Trivy kayan aikin tsaro ne na tushe wanda miliyoyin ke amfani da shi don bincika rashin lahani a cikin kwantena da lamba. Harin kayan aikin tsaro yana lalata tushen amincin da ake buƙata don ingantaccen ci gaba. Na biyu, yana ba da haske game da haɓakar haɓakar masu kai hare-hare suna motsawa "zuwa sama," suna niyya ga kayan aiki da abubuwan dogaro waɗanda aka gina sauran software akai. Ta hanyar guba wani ɓangaren da ake amfani da shi sosai, za su iya yuwuwar samun damar yin amfani da ɗimbin hanyar sadarwa na ayyukan ƙasa da ƙungiyoyi. Wannan lamarin ya zama wani muhimmin bincike na shari'a a cikin tsaron sarkar samar da kayayyaki, yana nuna cewa babu wani kayan aiki, ko ta yaya mutunci, da ke da kariya daga amfani da shi azaman harin hari.

Tsarin Matakai don Tsare Ayyukan GitHub ɗinku

Bayan wannan lamarin, masu haɓakawa da ƙungiyoyin tsaro dole ne su ɗauki matakan da suka dace don ƙarfafa ayyukan GitHub Actions ɗin su. Rashin gamsuwa makiyin tsaro ne. Anan akwai mahimman matakai don aiwatarwa nan take:

Gina Gidauniyar Juriya tare da Mewayz

Duk da yake tabbatar da kayan aikin mutum ɗaya yana da mahimmanci, juriyar gaske ta fito ne daga cikakkiyar dabarar ayyukan kasuwancin ku. Abubuwan da suka faru kamar sulhuntawa na Trivy suna bayyana ɓoyayyun sarƙaƙƙiya da haɗarin da ke tattare cikin sarƙoƙin kayan aiki na zamani. Wani dandali kamar Mewayz yana magance wannan ta hanyar samar da haɗe-haɗe, OS na kasuwanci na yau da kullun wanda ke rage ƙwaƙƙwaran dogaro da daidaita sarrafawa. Maimakon jujjuya ayyuka iri-iri iri-iri-kowanne yana da nasa tsarin tsaro da sake zagayowar sabuntawa-Mewayz yana haɗa mahimman ayyuka kamar sarrafa ayyukan, CRM, da sarrafa takardu cikin wuri guda, amintaccen yanayi. Wannan haɓakawa yana rage girman kai harin kuma yana sauƙaƙe tsarin tsaro, yana bawa ƙungiyoyi damar mai da hankali kan abubuwan gini maimakon ci gaba da yin lahani a cikin rarrabuwar kawuna. A cikin duniyar da alamar tambari guda ɗaya na iya haifar da babban ɓarna, haɗaɗɗen tsaro da daidaita ayyukan da Mewayz ke bayarwa suna ba da ingantaccen tushe mai sarrafawa da iya tantancewa don haɓaka.

Gina Kasuwancin Kasuwancin ku A Yau

Daga masu zaman kansu zuwa hukumomi, Mewayz yana ba da ikon kasuwanci 138,000+ tare da haɗaɗɗun kayayyaki 208. Fara kyauta, haɓakawa lokacin da kuka girma.

Ƙirƙiri Asusun Kyauta →

Try Mewayz Free

All-in-one platform for CRM, invoicing, projects, HR & more. No credit card required.

Start Free Try Demo

Start managing your business smarter today

Join 6,208+ businesses. Free forever plan · No credit card required.

Start Free → Watch Demo
Found this useful? Share it.
X / Twitter LinkedIn Facebook WhatsApp

Ready to put this into practice?

Join 6,208+ businesses using Mewayz. Free forever plan — no credit card required.

Start Free Trial →

Related articles

Hacker News

The insider trading suspicions looming over Trump's presidency

Apr 20, 2026

Hacker News

Claude Token Counter, now with model comparisons

Apr 20, 2026

Hacker News

Show HN: A lightweight way to make agents talk without paying for API usage

Apr 20, 2026

 Show HN: TRELLIS.2 image-to-3D running on Mac Silicon – no Nvidia GPU needed

Hacker News

Show HN: TRELLIS.2 image-to-3D running on Mac Silicon – no Nvidia GPU needed

Apr 20, 2026

Hacker News

Sudo for Windows

Apr 19, 2026

 Swiss AI Initiative (2023)

Hacker News

Swiss AI Initiative (2023)

Apr 19, 2026

Ready to take action?

Start your free Mewayz trial today

All-in-one business platform. No credit card required.

Start Free →

14-day free trial · No credit card · Cancel anytime