my job?
-
my job? wasting an absolutely ungodly amount of GitHub's free compute
-
my job? wasting an absolutely ungodly amount of GitHub's free compute
my list got cut off
-
my list got cut off
@yossarian btw have you seen this? Old news, but not sure if this was widely discussed. TL;DR You can't trust GitHub runner images
.png)
How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners - StepSecurity
Microsoft Defender was unexpectedly installed on multiple workflow runs from mid-July through mid-August, causing abnormal network traffic. StepSecurity Harden Runner detected this infrastructure anomaly within hours, and GitHub Support has since resolved the issue
(www.stepsecurity.io)
No SBOMs released for affected images during that window
https://github.com/actions/runner-images/releases -
@yossarian btw have you seen this? Old news, but not sure if this was widely discussed. TL;DR You can't trust GitHub runner images
How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners - StepSecurity
Microsoft Defender was unexpectedly installed on multiple workflow runs from mid-July through mid-August, causing abnormal network traffic. StepSecurity Harden Runner detected this infrastructure anomaly within hours, and GitHub Support has since resolved the issue
(www.stepsecurity.io)
No SBOMs released for affected images during that window
https://github.com/actions/runner-images/releases@caspicat I actually hadn't seen this, but I'm not sure how it makes GH's own runners untrustworthy? it's definitely a (bad) operational error, but AFAICT it doesn't change the platform's security posture significantly
-
R relay@relay.infosec.exchange shared this topic
