Checking for stored secrets in the environment of a runner.
Extracting private repositories or internal documentation. GitHub.anom
Adding a new SSH key to the authorized_keys file of a service account. Checking for stored secrets in the environment of a runner
Exploiting vulnerable CI/CD pipelines where secrets are printed to logs or where pull_request triggers allow for unauthorized code execution . GitHub.anom
Analysts begin by scanning for open ports and services.
If the GitHub runner uses Docker, attackers may exploit a mounted /var/run/docker.sock to gain root access to the host machine. 4. Post-Exploitation