Skip to content

Feature: Adding Canary Tokens to Detect Supply Chain Compromise #677

Description

@andrewmichaelsmith

This is a suggestion to add security canaries to this repo for monitoring and detecting supply chain attack compromise.

There's a free Tracebit Community Edition GitHub integration you can install here that sets this up in under 5 minutes - once you do, it injects canary tokens (decoy credentials that look real but nothing legitimate ever uses) into every running build.

If anyone tries to use one, you get an alert straight away. Since no real process ever touches them, a trigger means there's likely an issue.
A great example of the value of canaries is seen in this Grafana Labs post, and research Detecting the Modern Supply Chain Attack: High-Fidelity Canaries for CI/CD.

I'm also more than happy to raise a PR and implement it myself. No stress if it doesn't fit, thought it would be useful to share with the wider community.

Full disclosure - I work for Tracebit and built this myself. Our Community Edition is fully designed with community in mind and will remain free forever.

Thanks,
Andy

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions