A Look at Chariot’s Capability to Protect
On June 6, 2024, an anonymous user posted nearly 300 GB of stolen source code to 4chan. Per the user, the leak contained “basically all source code belonging to The New York Times”. The NYT later confirmed the leak and said the root case was an exposed GitHub token.
Public source code platforms, such as GitHub, are a rising attack vector for attackers. GitHub users exposed millions of sensitive secrets to the internet in 2023 alone. Praetorian’s own Red Teams use these exposed secrets in customer engagements as entry points into client infrastructure. Beyond secrets, GitHub Actions has turned Github into a popular CI/CD pipeline, creating several new attack vectors. Praetorian previously wrote about GitHub CI/CD attacks and will present a detailed review of these novel techniques at Black Hat USA 2024.
To protect our clients from GitHub-based risks, Praetorian Labs built a new capability for Chariot’s toolbelt. You can now use this tool to secure your organization from hard-coded secrets, CI/CD misconfigurations, repository exposures, and more.
What is the GitHub Capability?
Chariot tracks GitHub repositories as assets along IP addresses, domain names, and other conventional attack surfaces. When users add a GitHub seed value (representing an organization or user) into Chariot:
- Chariot will spider every repository in the specified organization or user.
- If the seed specified an organization, Chariot will enumerate all public repositories belonging to each organization member.
- Chariot will then scan all identified repositories for:
- Exposed secrets in the source code (using Nosey Parker)
- CI/CD misconfigurations (using Gato)
- Newly created public repositories (<24 hours).
- Private repositories recently turned public (<24 hours).
How to Use the GitHub Capability
Chariot users can trigger the GitHub capability in two ways. The first is to add the GitHub URL of the user or organization (e.g., https://github.com/praetorian-inc) as a seed. This is possible through our UI or with Praetorian’s CLI tool:
praetorian chariot add seed https://github.com/praetorian-inc
Chariot will collect all public repositories associated with the new seed(s).
To scan private repositories, users can deploy Chariot’s GitHub integration, which accepts a Personal Access Token (PAT). This is also possible through both our UI or the CLI:
praetorian chariot link github github_pat_123456abcdefg_123456abcdefg praetorian-inc
Once the integration completes, Chariot will scan all repositories accessible to the PAT in the provided organization.
Getting Started With Chariot
Curious how your organization’s GitHub posture looks to an attacker? Create a free account and add a seed for your GitHub organization. Chariot will have results ready before you can finish your next cup of coffee.