I-Trivy ihlaselwe kwakhona: Ithegi ye-GitHub ebanzi yeentshukumo zethegi yokulalanisa iimfihlo

I-Trivy phantsi kohlaselo kwakhona: Ithegi ebanzi ye-GitHub Actions tag compromise secrets

Ukhuseleko lwekhonkco lonikezelo lwesoftware yomelele kuphela njengelona khonkco libuthathaka. Kumaqela ophuhliso angenakubalwa, elo khonkco libe zezona zixhobo baxhomekeke kuzo ukuze bafumane ubuthathaka. Ngokuphathelele ukuguquka kweziganeko, i-Trivy, iskena esisesichengeni esivulekileyo esigcinwe yi-Aqua Security, sazifumana sisembindini wohlaselo oluntsonkothileyo. Abadlali abakhohlakeleyo baye babeka esichengeni uhlobo oluthile lwethegi (`v0.48.0`) ngaphakathi kwendawo yokugcina yeZenzo zeGitHub, betofa ikhowudi eyilelwe ukuba iimfihlo ezinobuzaza nakuwuphi na umsebenzi owusebenzisileyo. Esi siganeko sisikhumbuzo esicacileyo sokuba kwiinkqubo zethu zophuhliso eziqhagamshelweyo, ukuthembana kufuneka kuqinisekiswe ngokuqhubekayo, kungacingelwa.

I-Anatomy yeTag Compromise Attack

Oku ibingekuko ukwaphulwa kwekhowudi yesicelo esingundoqo se-Trivy, kodwa ibikukubhukuqa ngobukrelekrele be-CI/CD. Abahlaseli bajolise kwi-GitHub Actions repository, besenza uguqulelo olukhohlakeleyo lwefayile ye `action.yml` ye `v0.48.0` tag. Xa umsebenzi womphuhlisi ubhekisela kule thegi ikhethekileyo, isenzo siza kuphumeza iscript esiyingozi phambi kokuba kuqhutywe iskeni se-Trivy esisemthethweni. Esi sikripthi senzelwe ukukhupha iimfihlo-ezinjengamathokheni okugcina, iziqinisekiso zomboneleli wefu, kunye nezitshixo ze-API-kwi-server ekude elawulwa ngumhlaseli. Ubume bolu hlaselo buxhomekeke kubuchule balo; abaphuhlisi abasebenzisa ekhuselekileyo `@v0.48` okanye `@main` iithegi azichaphazelekanga, kodwa abo baqhoboshele kanye eyona thegi ibekwe esichengeni bengazi bangenise ubuthathaka obubalulekileyo kumbhobho wabo.

Kutheni esi sehlo sisasazeke kulo lonke ihlabathi le-DevOps

I-Trivy compromise ibalulekile ngenxa yezizathu ezininzi. Okokuqala, i-Trivy sisixhobo sokhuseleko esisisiseko esisetyenziswa zizigidi ukuskena ubuthathaka kwizikhongozeli kunye nekhowudi. Uhlaselo lwesixhobo sokhuseleko lutshabalalisa intembeko yesiseko efunekayo kuphuhliso olukhuselekileyo. Okwesibini, iqaqambisa indlela ekhulayo yabahlaseli abahamba "phezulu," bejolise kwizixhobo kunye nokuxhomekeka okwakhelwe kuzo enye isoftware. Ngokutyhefa icandelo elinye elisetyenziswa ngokubanzi, banokufikelela kuthungelwano olukhulu lweeprojekthi kunye nemibutho esezantsi. Esi siganeko sisebenza njengesifundo esibalulekileyo kukhuseleko lwekhonkco lokubonelela, ebonisa ukuba akukho sixhobo, kungakhathaliseki ukuba sihloniphekile kangakanani, sikhuselekile ekusebenziseni njenge-vector yokuhlasela.

"Olu hlaselo lubonisa ukuqonda okunzulu kokuziphatha komphuhlisi kunye ne-CI / CD mechanics. Ukuphina kwithegi yenguqu ethile kudla ngokubhekwa njengento efanelekileyo yokuzinza, kodwa esi siganeko sibonisa ukuba sinokuzisa umngcipheko ukuba loo nguqulo ethile iyancipha. Isifundo kukuba ukhuseleko luyinkqubo eqhubekayo, kungekhona ukuseta ixesha elilodwa. "

Amanyathelo akhawulezayo okukhusela iintshukumo zakho zeGitHub

Emva kwesi siganeko, abaphuhlisi kunye namaqela okhuseleko kufuneka athathe amanyathelo asebenzayo ukwenza lukhuni i-GitHub Actions workflows. Ukungakhathali kulutshaba lokhuseleko. Nanga amanyathelo ayimfuneko okufuneka uwaphumeze ngoko nangoko:

• Sebenzisa ukuqhobosha kwe-SHA endaweni yeethegi: Soloko ubhekisa ngezenzo ngokuzibophelela ngokupheleleyo kwe-hash (umzekelo, `actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675`). Le kuphela kwendlela yokuqinisekisa ukuba usebenzisa uguqulelo olungenakuguqulwa lwesenzo.
• Hlola inkqubo yakho yangoku: Qwalasela `.github/workflows` ulawulo lwakho. Chonga naziphi na iintshukumo ezifakwe kwiithegi kwaye uzitshintshele ukwenza ii-SHA, ngakumbi izixhobo zokhuseleko ezibalulekileyo.
• Xhobisa ngeempawu zokhuseleko ze-GitHub: Nika amandla ukutshekishwa kwesimo esifunekayo kwaye uphonononge isethingi `yokuhamba_iimvume_iimvume`, uzibeke ukuba zifundeke kuphela ngokungagqibekanga ukunciphisa umonakalo onokwenzeka kwisenzo esithotyiweyo.
• Jonga umsebenzi ongaqhelekanga: Sebenzisa ukugawulwa kwemithi kunye nokubeka iliso kwimibhobho ye-CI/CD yakho ukubona uqhagamshelo lomnatha ophumayo olungalindelekanga okanye iinzame zokufikelela ezingagunyaziswanga usebenzisa iimfihlo zakho.

Ukwakha iSiseko esiZimeleyo ngeMewayz

Ngelixa ukhuseleko lwesixhobo ngasinye lubalulekile, ukomelela kokwenyani kuvela kwindlela epheleleyo yokusebenza kweshishini lakho. Iziganeko ezifana ne-Trivy compromise zityhila ubunzima obufihliweyo kunye nomngcipheko ofakwe kwii-toolchain zanamhlanje. Iqonga elifana ne-Mewayz lilungisa oku ngokubonelela nge-OS yeshishini elimanyeneyo, elinemodyuli enciphisa ukuxhomekeka kokuxhomekeka kunye nolawulo olubekwe embindini. Endaweni yokujongana neshumi elinesibini leenkonzo ezahlukeneyo-nganye inemodeli yokhuseleko kunye nomjikelo wohlaziyo-iMewayz idibanisa imisebenzi ephambili efana nolawulo lweprojekthi, iCRM, kunye nokuphathwa kwamaxwebhu kwindawo enye, ekhuselekileyo. Oku kudityaniswa kunciphisa umphezulu wohlaselo kwaye kwenze lula ulawulo lokhuseleko, kuvumela amaqela ukuba agxile kulwakhiwo lweempawu kunokuba asoloko echwetheza ubuthathaka kwisitaki sesoftware esaphukileyo. Ehlabathini apho ithegi enye ethotyiweyo ingakhokelela ekwaphuleni okukhulu, ukhuseleko oludibeneyo kunye nemisebenzi elungelelanisiweyo enikezelwa nguMewayz ibonelela ngesiseko esilawulwayo nesiphicothwayo sokukhula.

Imibuzo Ebuzwa Rhoqo

I-Trivy phantsi kohlaselo kwakhona: Ithegi ebanzi ye-GitHub Actions tag compromise secrets

Ukhuseleko lwekhonkco lonikezelo lwesoftware yomelele kuphela njengelona khonkco libuthathaka. Kumaqela ophuhliso angenakubalwa, elo khonkco libe zezona zixhobo baxhomekeke kuzo ukuze bafumane ubuthathaka. Ngokuphathelele ukuguquka kweziganeko, i-Trivy, iskena esisesichengeni esivulekileyo esigcinwe yi-Aqua Security, sazifumana sisembindini wohlaselo oluntsonkothileyo. Abadlali abakhohlakeleyo baye babeka esichengeni uhlobo oluthile lwethegi (`v0.48.0`) ngaphakathi kwendawo yokugcina yeZenzo zeGitHub, betofa ikhowudi eyilelwe ukuba iimfihlo ezinobuzaza nakuwuphi na umsebenzi owusebenzisileyo. Esi siganeko sisikhumbuzo esicacileyo sokuba kwiinkqubo zethu zophuhliso eziqhagamshelweyo, ukuthembana kufuneka kuqinisekiswe ngokuqhubekayo, kungacingelwa.

I-Anatomy yeTag Compromise Attack

Oku ibingekuko ukwaphulwa kwekhowudi yesicelo esingundoqo se-Trivy, kodwa ibikukubhukuqa ngobukrelekrele be-CI/CD. Abahlaseli bajolise kwi-GitHub Actions repository, besenza uguqulelo olukhohlakeleyo lwefayile ye `action.yml` ye `v0.48.0` tag. Xa umsebenzi womphuhlisi ubhekisela kule thegi ikhethekileyo, isenzo siza kuphumeza iscript esiyingozi phambi kokuba kuqhutywe iskeni se-Trivy esisemthethweni. Esi sikripthi senzelwe ukukhupha iimfihlo-ezinjengamathokheni okugcina, iziqinisekiso zomboneleli wefu, kunye nezitshixo ze-API-kwi-server ekude elawulwa ngumhlaseli. Ubume bolu hlaselo buxhomekeke kubuchule balo; abaphuhlisi abasebenzisa ekhuselekileyo `@v0.48` okanye `@main` iithegi azichaphazelekanga, kodwa abo baqhoboshele kanye eyona thegi ibekwe esichengeni bengazi bangenise ubuthathaka obubalulekileyo kumbhobho wabo.

Kutheni esi sehlo sisasazeke kulo lonke ihlabathi le-DevOps

I-Trivy compromise ibalulekile ngenxa yezizathu ezininzi. Okokuqala, i-Trivy sisixhobo sokhuseleko esisisiseko esisetyenziswa zizigidi ukuskena ubuthathaka kwizikhongozeli kunye nekhowudi. Uhlaselo lwesixhobo sokhuseleko lutshabalalisa intembeko yesiseko efunekayo kuphuhliso olukhuselekileyo. Okwesibini, iqaqambisa indlela ekhulayo yabahlaseli abahamba "phezulu," bejolise kwizixhobo kunye nokuxhomekeka okwakhelwe kuzo enye isoftware. Ngokutyhefa icandelo elinye elisetyenziswa ngokubanzi, banokufikelela kuthungelwano olukhulu lweeprojekthi kunye nemibutho esezantsi. Esi siganeko sisebenza njengesifundo esibalulekileyo kukhuseleko lwekhonkco lokubonelela, ebonisa ukuba akukho sixhobo, kungakhathaliseki ukuba sihloniphekile kangakanani, sikhuselekile ekusebenziseni njenge-vector yokuhlasela.

Amanyathelo akhawulezayo okukhusela iintshukumo zakho zeGitHub

Emva kwesi siganeko, abaphuhlisi kunye namaqela okhuseleko kufuneka athathe amanyathelo asebenzayo ukwenza lukhuni i-GitHub Actions workflows. Ukungakhathali kulutshaba lokhuseleko. Nanga amanyathelo ayimfuneko okufuneka uwaphumeze ngoko nangoko:

Ukwakha iSiseko esiZimeleyo ngeMewayz

Ngelixa ukhuseleko lwesixhobo ngasinye lubalulekile, ukomelela kokwenyani kuvela kwindlela epheleleyo yokusebenza kweshishini lakho. Iziganeko ezifana ne-Trivy compromise zityhila ubunzima obufihliweyo kunye nomngcipheko ofakwe kwii-toolchain zanamhlanje. Iqonga elifana ne-Mewayz lilungisa oku ngokubonelela nge-OS yeshishini elimanyeneyo, elinemodyuli enciphisa ukuxhomekeka kokuxhomekeka kunye nolawulo olubekwe embindini. Endaweni yokujongana neshumi elinesibini leenkonzo ezahlukeneyo-nganye inemodeli yokhuseleko kunye nomjikelo wohlaziyo-iMewayz idibanisa imisebenzi ephambili efana nolawulo lweprojekthi, iCRM, kunye nokuphathwa kwamaxwebhu kwindawo enye, ekhuselekileyo. Oku kudityaniswa kunciphisa umphezulu wohlaselo kwaye kwenze lula ulawulo lokhuseleko, kuvumela amaqela ukuba agxile kulwakhiwo lweempawu kunokuba asoloko echwetheza ubuthathaka kwisitaki sesoftware esaphukileyo. Ehlabathini apho ithegi enye ethotyiweyo ingakhokelela ekwaphuleni okukhulu, ukhuseleko oludibeneyo kunye nemisebenzi elungelelanisiweyo enikezelwa nguMewayz ibonelela ngesiseko esilawulwayo nesiphicothwayo sokukhula.