CI-WORKFLOW-INJECTExecution

Workflow Command Injection

User input interpolated into a run: step (e.g. github.event.issue.title) — RCE on the runner via shell metachars.

§ Where this technique fits

CI-WORKFLOW-INJECT is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

pull_request_target injection → secrets → cloud takeover
A GitHub Actions workflow runs on pull_request_target and checks out the PR's head SHA. The attacker's PR injects code that runs with the base repo's secrets, including a cloud deploy role.
step 4 / 7

§ What commonly comes next

01
Secret Echo to Build Log
CI-SECRET-IN-LOG · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

pull_request_target injection → secrets → cloud takeover

§ What commonly comes next