Rootconf Mini 2024 (on 22nd & 23rd Nov)

Geeking out on systems and security since 2012

This video is for members only

Abhimanyu Dhamija

Abhimanyu Dhamija

@abhidhamija

Github Action CI Security with BOLT

Submitted Oct 11, 2024

Abstract:
CI systems are the security orchestration centre of the SDLC but CI itself has become an attack surface as Solarwinds and Codecov attacks have shown.

BOLT: https://github.com/koalalab-inc/bolt an OSS tool, secures CI runtime/build time from two attack vectors:

  1. Secret Exfiltration and
  2. Build Tampering.

BOLT instruments an egress gateway and auditd rules. Egress gateway enables BOLT to filter outbound traffic. Auditd logs are used to monitor for any kind of source/build tampering.

Furthermore, egress-filter itself has many other nuances. The outbound traffic from the build system can go to multi-tenant systems like GitHub, DockerHub, JFrog etc. Ensuring only the trusted tenants are being called in egress calls is necessary to ensure security.

BOLT instruments eBPF probes to do deep SSL inspection of egress traffic. Applying destination aware rules on top of deep SSL inspection enables BOLT to trust tenants across multi-tenant systems like GitHub/DockerHub/JFrog.

image

Takeaways:

  1. Understand threat vectors in CI systems.
  2. Use BOLT to secure Github actions CI runtime.
  3. Understand nuances of egress-filter at build time.
  4. Understanding instrumentation of eBPF filtering and how deep SSL inspection can be used for other use-cases like minimal token permissions.

Audience:

  1. Security Engineers: who are keen to understand and implement advanced CI security measures.
  2. Security Leadership: CISOs, Security Directors, and Managers looking to gain insights into the nuances of CI/CD security and software supply chain protection.
  3. Cloud Architects/Platform engineers: Professionals designing secure cloud infrastructures who need to understand the latest in CI security and eBPF applications.
  4. Technically Curious: Anyone with a technical background interested in learning about advanced concepts in CI security, eBPF, and software supply chain protection, presented in an accessible manner.

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

We care about site reliability, cloud costs, security and data privacy

Supported by

Platinum Sponsor

Nutanix is a global leader in cloud software, offering organizations a single platform for running apps and data across clouds.

Platinum Sponsor

PhonePe was founded in December 2015 and has emerged as India’s largest payments app, enabling digital inclusion for consumers and merchants alike.

Silver Sponsor

The next-gen analytics engine for heavy workloads.

Sponsor

Community sponsor

Peak XV Partners (formerly Sequoia Capital India & SEA) is a leading venture capital firm investing across India, Southeast Asia and beyond.

Venue host - Rootconf workshops

Thoughtworks is a pioneering global technology consultancy, leading the charge in custom software development and technology innovation.

Community Partner

FOSS United is a non-profit foundation that aims at promoting and strengthening the Free and Open Source Software (FOSS) ecosystem in India. more

Community Partner

A community of Rust language contributors and end-users from Bangalore. We have presence on the following telegram channels https://t.me/RustIndia https://t.me/fpncr LinkedIn: https://www.linkedin.com/company/rust-india/ Twitter (not updated frequently): https://twitter.com/rustlangin more