Skip to main content

CI/CD Misconfigurations validation with Allero

· 3 min read
Akhan Zhakiyanov
Akhan Zhakiyanov
Lead engineer
warning

https://github.com/allero-io/allero has been archived by its owner on July 19 2023

Recently with team members we discovered https://www.allero.io/ that does CI/CD security validation:

  • identify plain text passwords
  • identify potentially malicious code execution
  • etc

Despite me being quite sceptical about it initially it found one issue using default rules

NPM install issue

The error output is below:

Rule: 3-ensure-npm-ignore-scripts
Failure Message: npm install or ci is used without ignoring post and preinstall scripts
┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ SCM PLATFORM ┃ CICD PLATFORM  ┃ OWNER NAME  ┃ REPOSITORY NAME                     ┃ PIPELINE RELATIVE PATH           ┃
┣━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Local        ┃ Github Actions ┃ local_owner ┃ /home/runner/work/testrepo/testrepo ┃ .github/workflows/build.yml      ┃
┣━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Local        ┃ Github Actions ┃ local_owner ┃ /home/runner/work/testrepo/testrepo ┃ .github/workflows/lint.yml       ┃
┣━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Local        ┃ Github Actions ┃ local_owner ┃ /home/runner/work/testrepo/testrepo ┃ .github/workflows/publish.yml    ┃
┣━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Local        ┃ Github Actions ┃ local_owner ┃ /home/runner/work/testrepo/testrepo ┃ .github/workflows/blabla.yml     ┃
┗━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

NPM scripts lifecycle

Whenever you run some NPM command there are associated NPM scripts with it. And they are all executed in specified order called lifecycle order.

Full list of them you can find in NPM scripts official docs.

For our case with npm install or npm ci that order will be:

  • preinstall
  • install
  • postinstall
  • prepublish
  • preprepare
  • prepare
  • postprepare

These all run after the actual installation of modules into node_modules, in order, with no internal actions happening in between.

Potential execution of malicious code

Let's say we have some NPM package published and we decided to install it. This package has postinstall script that executes some code.

// package.json",
"scripts": {
  "postinstall": "node malicious.js"
}

If you simply run npm install or npm ci, then malicious.js file will be also executed doing something we might not want.

Ignore scripts

To prevent it you can simply disable script execution:

  • NPM: npm install --ignore-scripts or npm ci --ignore-scripts
  • YARN: yarn add --ignore-scripts

How allero works

https://github.com/allero-io/allero/blob/main/pkg/connectors/github/githubConnector.go#L63-L64

  • Use personal access token (PAT) to fetch data for your repository (there is no git clone as I initially assumed)
  • fetch repository JSON object from Github API (or Gitlab)
  • store these JSON repository object locally in $HOME/.allero directory
  • run analyzer using default rules or custom rules from .allero/github/rules

Conclusion

attacker needs to discover only one vulnerability to break system, while security specialist needs to know and protect from all of them

CI/CD validation is one of many aspects of security in your organization. Don't ignore it!