Linting GitHub workflows for escalation-of-privilege vulnerabilities
Linting GitHub workflows for escalation-of-privilege vulnerabilities
Posted Dec 6, 2024 22:16 UTC (Fri) by nickodell (subscriber, #125165)Parent article: Abusing Git branch names to compromise a PyPI package
William Woodruff has been working on a tool which analyzes GitHub workflow files, and looks for insecure design choices. He claims that it would have found the ultralytics issue. Have not tried this personally, but it seems like an interesting idea.
https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-...