Skip to content

Feature: adding canary tokens to detect supply chain compromise #351

Description

@Erj4

This is a suggestion to add security canaries to this repo for monitoring and detecting supply chain attacks. Great examples of the benefits of canaries in protecting the community are seen in this Grafana post, and research Detecting the Modern Supply Chain Attack: High-Fidelity Canaries for CI/CD.

There's a free Tracebit Community Edition GitHub integration you can install here that sets this up in under 5 minutes - once you do, it injects canary tokens (decoy credentials that look real but nothing legitimate ever uses) into each workflow. If anyone tries to use one, you get an alert straight away. Since no real process ever touches them, a trigger means there's likely an issue.

I'm also more than happy to raise a PR and implement it myself. No stress if it doesn't fit - thought it would be useful to share with the wider community.

Full disclosure: I work for Tracebit and was involved in building this. Our Community Edition is fully designed with community in mind and will remain free forever.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions