“文件更改”改变了一切：揭露并应对 tj-actions 供应链漏洞.pdf

1、When Changed FilesChanged EverythingUncovering and Responding to the tj-actions Supply Chain BreachVarun Sharma,Ashish KurmiWhen Changed Files Changed Our Weekend PlansSpoiler:They were definitely changedSpoiler:They were definitely changedEven CISA said Yikes!Top Companies using changed-filesArgoTy

2、peScriptKongPostHogGitHubHugging FaceHashiCorpMetaMicrosoftAgendaHow was the attack detected?What was the malicious code doing?How was the action compromised?How did organizations respond?Lessons learned from the incidentAbout Varun SharmaCo-Founder and CEO of StepSecurity,a cybersecurity startup se

3、curing CI/CD pipelines against supply chain attacksFormer Principal Security Software Engineering Manager at MicrosoftLed Azures Green Team to solve high-risk,systemic security issues.MSc in Information Security from Royal Holloway,University of LondonAbout Ashish KurmiCTO and Co-Founder of StepSecu

4、ritySpecializes in CI/CD and GitHub Actions securityOver 13 years of experience in security engineering at Plaid,Uber,and MicrosoftRecognized leader in developing advanced cybersecurity solutionsIntroduction to GitHub Actions and the tj-actions/changed-files action01.Brief Overview of GitHub Actions

5、Brief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overview of GitHub ActionsBrief Overvi

6、ew of GitHub ActionsBrief Overview of GitHub ActionsDemo:GitHub Actions Workflow RunDemo:GitHub Actions Workflow RunDemo:GitHub Actions Workflow RunPull RequestMerge to mainWorkflow TriggersInitial Detection and Investigation02.Baseline-driven security monitoringBaseline-driven security monitoringBa