Self-Hosted GitHub CI/CD Runners: Continuous Integration, Continuous Destruction
Unknown
Black Hat USA 2024 · Day 1 · Briefing
This talk, "Self-Hosted GitHub CI/CD Runners: Continuous Integration, Continuous Destruction," delivered by Adnan Khan and John Stawinski at Black Hat USA, exposes a critical and systemic vulnerability class impacting organizations globally: the insecure configuration of **self-hosted GitHub Actions runners**. The speakers highlight a pervasive lack of awareness regarding the security implications of these CI/CD agents, which, when misconfigured, can serve as a direct conduit for attackers to launch devastating supply chain attacks. They assert that public GitHub repositories, often overlooked as a potential attack surface, are becoming a primary entry point for such compromises.