Git providers have noted an increase of poisoned pipeline attacks that can result in serious security vulnerabilities, which can be exploited by attackers to gain unauthorized access to sensitive data, compromise the confidentiality, integrity, or availability of the system, or even gain control over it.
At Bitrise, our customers' security is of the utmost importance to us. On May 5th 2023, out of an abundance of caution for our customers’ security, we enabled manual approval of all pull request (PR) builds submitted from forks for any customers where we could not confirm if they were connecting to a private repository.
If you have the following App settings in place, you could be vulnerable to a poisoned pipeline attack where it would be possible for a third-party to trigger a PR of a public repository, triggering a build of a private app. This would only be possible if your app has the following settings in place:
- Your app uses a public repository
- Your app on Bitrise is private (not a public apps where we enforce manual approval of pull requests submitted from forks)
- The Bitrise feature to manually approve PR builds is disabled
- Your organization exposes secrets in PRs
Given these pipeline attacks, this is a risky configuration. While some customers may want to proceed, we highly recommend you keep enabled the requirement to manually approve PR builds submitted from forks.
Private repositories connected to private apps on Bitrise: If you are connecting to a private repository, this specific warning is not applicable to you.
Note: This is an interim notice for support purposes and may be updated or removed. Please contact support if you have any questions and please always follow procedures that meet your company's security requirements.