hunt-cicd

# HUNT-CICD — CI/CD Pipeline Security ## Crown Jewel Targets Jenkins `/script` console reachable = immediate RCE. A GitHub Actions `pull_request_target` (or `workflow_run`) workflow that checks out the **PR head ref** and references untrusted `${{ github.event.* }}` in a shell `run:` = "Pwnrequest" → secret exfil from a fork PR with zero approval. **Highest-value findings:** - **Jenkins Script Console** — Groovy execution → full RCE → dump the credential store - **Jenkins CLI file read (CVE-2024-23897)** — pre-auth `@/etc/passwd` arg expansion → read `secret.key`/`credentials.xml` → forge admin → RCE - **GitHub Actions `pull_request_target` injection (Pwnrequest)** — fork PR controls `${{ }}` inside a privileged shell step → exfil `GITHUB_TOKEN` (often `contents:write`) and org secrets - **Self-hosted runner poisoning** — non-ephemeral runner on a public repo executes a fork PR's build → attacker code runs on the runner host → persistence + secret theft - **OIDC trust-policy abuse** — over-broad `sub` claim wildcard in an AWS IAM role trust policy → any workflow in the org assumes a privileged cloud role - **Terraform state leakage** — `*.tfstate` in public S3/GCS/Blob → plaintext infra creds, DB passwords, private keys - **Runner token / artifact / log leakage** — register attacker runner, or harvest secrets printed before `::add-mask::` --- ## "It-Didn't-Happen-Without-Proof" Gate (Read First) CI/CD findings are over-reported because dashboards *look* exploitable. Bef...