Living Off the Pipeline

The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.


cli github-actions injection config-file input-file eval-js eval-sh eval-py eval-groovy eval-kotlin Reset

Tool Tags
Ant cli config-file eval-sh
bundler cli eval-sh config-file
checkov cli config-file eval-py
eslint cli config-file eval-js
actions/github-script github-actions injection eval-js
oxsecurity/megalinter github-actions config-file eval-sh
roots/issue-closer-action github-actions injection eval-js
sergeysova/jq-action github-actions injection eval-sh
go generate cli input-file eval-sh
gomplate cli config-file eval-sh
gradle cli config-file eval-groovy eval-kotlin
maven cli eval-sh
mkdocs cli config-file eval-py
MSBuild cli config-file input-file eval-sh
mypy cli eval-sh
pre-commit cli config-file eval-sh
prettier cli config-file eval-js
pylint cli config-file eval-python
rake cli eval-sh config-file
rubocop cli eval-sh config-file
terraform cli input-file eval-sh
tflint cli config-file eval-sh