This dropper will subsequently allow Octopus Scanner to gain "local system persistence and would subsequently spawn a Remote Administration Tool (RAT), which connects to a set of C2 servers." Once the infected repos are cloned or forked on development systems they get infected and the information-stealing malware will backdoor all the NetBeans project builds it can find by injecting a dropper in any built JAR files. Inner workings of an open-source supply chain malware
GITHUB OPEN SOURCE SCANNER CODE
While investigating this malware, GitHub Security Lab researchers found 26 open source projects compromised by Octopus Scanner that inadvertently served up its backdoored code to any developers that would fork or clone the repos. GitHub’s Security Incident Response Team (SIRT) was notified by security researcher JJ on March 9 about GitHub repositories that were serving as malware delivery points. "Infecting build artifacts is a means to infect more hosts since the infected project will most likely get built by other systems and the build artifacts will probably be loaded and executed on other systems as well," the researchers explain. The malware dubbed Octopus Scanner by researchers at the GitHub Security Lab compromises developers' computers by infecting their NetBeans repositories after planting malicious payloads within JAR binaries, project files and dependencies, later spreading to downstream development systems.
![github open source scanner github open source scanner](https://devblogs.microsoft.com/cppblog/wp-content/uploads/sites/9/2021/10/CodeScanning.png)
Paste in the following code: name: "Security and Quality"įigure 6: Create the CodeQL configuration file. github folder in the Code tab and select Add File:Įnter codeql/codeql-config.yml as the name. In this step, you'll configure CodeQL to use the security-and-quality suites.įor other CodeQL configuration options, see Configuring CodeQL code scanning in your CI system. You can add quality scanning in by adding a configuration file to customize the scanning suites. The current workflow is using the default security-extended suite. The CodeQL scan isn't reporting any security issues. However, there appear to be no issues.įigure 4: No results to the initial scan. If this step fails, you can replace it with your own custom build steps.Īfter building, the CodeQL analysis is performed, where suites of queries are run against the code database.
![github open source scanner github open source scanner](https://colorlib.com/wp/wp-content/uploads/sites/2/vaddy-automated-web-vulnerability-scanner.jpg)
The Autobuild step will attempt to automatically build the source code using common conventions. CodeQL intercepts calls to the compiler to build a database of the code while the code is being built. The second step initializes the CodeQL scanner for the language this job is going to scan. There are four steps, starting with checkout. This causes the job to "fan out" and create an instance per value of the matrix. If the repository contained other languages, you could add them to this array. This workflow defines a strategy with a matrix on the array of language. There's a single job called analyze that runs on the ubuntu-latest hosted agent. If you edit the workflow file and hover over the cron expression, a tooltip will show you the English text for the cron expression.
![github open source scanner github open source scanner](https://spectralops.io/wp-content/uploads/2021/04/image7-1024x545.png)
In this case, this workflow will run at 14:40 UTC every Saturday. The cron trigger lets you define a schedule for triggering this workflow and is randomly generated for you. This workflow triggers on push and pull_request events to the main branch. If you remove the comments from the file, you'll see the following YAML: name: "CodeQL" Take a look at the workflow file while it runs. Select this node to filter for CodeQL workflow runs. In the left-hand tree, you'll see a CodeQL node. Select Start Commit on the upper right to save the default workflow. Select Set up this workflow.įigure 1: Create a new code scanning workflow.Ī new workflow file is created in your. The top recommended workflow should be CodeQL Analysis. Navigate to your GitHub repository and select the Security > Code Scanning Alerts. You can use a starter workflow for code scanning by navigating to the Security tab of your repository. To see security alerts for your repository, you must be a repository owner.