HUNT-CICD — CI/CD Pipeline Security

Crown Jewel Targets

Jenkins /script console reachable = immediate RCE. A GitHub Actions pull_request_target (or workflow_run) workflow that checks out the PR head ref and references untrusted ${{ github.event.* }} in a shell run: = "Pwnrequest" → secret exfil from a fork PR with zero approval.

Highest-value findings:

• Jenkins Script Console — Groovy execution → full RCE → dump the credential store
• Jenkins CLI file read (CVE-2024-23897) — pre-auth @/etc/passwd arg expansion → read secret.key/credentials.xml → forge admin → RCE
• GitHub Actions pull_request_target injection (Pwnrequest) — fork PR controls ${{ }} inside a privileged shell step → exfil GITHUB_TOKEN (often contents:write) and org secrets
• Self-hosted runner poisoning — non-ephemeral runner on a public repo executes a fork PR's build → attacker code runs on the runner host → persistence + secret theft
• OIDC trust-policy abuse — over-broad sub claim wildcard in an AWS IAM role trust policy → any workflow in the org assumes a privileged cloud role
• Terraform state leakage — *.tfstate in public S3/GCS/Blob → plaintext infra creds, DB passwords, private keys
• Runner token / artifact / log leakage — register attacker runner, or harvest secrets printed before ::add-mask::

"It-Didn't-Happen-Without-Proof" Gate (Read First)