Description
Push of unreviewed code to sensitive repository branches can be restricted by requiring users to create pull requests and receive approvals from other organization members before merging the code to the target branch.
With GitHub Actions enabled, any user with Write permissions on a repository can create and run GitHub Actions workflows, and grant the workflow Write permissions on the repository.
The author of the workflow can then leverage this to instruct the Github Actions workflow to approve their pull request.
This vulnerability enables the author to approve their own pull request and merge unreviewed code to the target branch, effectively bypassing the multiple reviews security control.
Remediations
Avoid setting credentials with the global scope. Instead, limit the scope of credentials so it would be accessible only on jobs where it is required.
To limit the scope of Jenkins credentials using folder scopes:
- Install the Folders plugin. (https://plugins.jenkins.io/cloudbees-folder/).
- Create a folder for each group of pipelines that require access to a set of credentials, and move the pipelines to the folder.
- Create the credentials and set it with the folder’s scope.
To limit the scope of Jenkins credentials using user scopes:
Follow the instructions in the link below.
https://docs.cloudbees.com/docs/admin-resources/latest/pipelines/user-scoped-creds#_adding_user_scoped_credentials_to_your_user_account
