Harnessing GitHub Runners for Cost-Free Computing

What are GitHub Runners?

GitHub offers hosted virtual machines to run workflows. The virtual machine contains an environment of tools, packages, and settings available for GitHub Actions to use. GitHub Docs.

GitHub Workflows are used by developers to automate a vast majority of their tasks, like running tests, building their apps, creating releases, and many others. All you need to do is create a workflow file, and GitHub will parse and run it as an action.

semgrep-workflow
Workflow used by returntocorp/semgrep to build semgrep for windows

Github-hosted runners are available for Windows, Ubuntu Linux and MacOS. Using the runs-on keyword, you can specify which runner to use or even specify the self-hosted runner.

Testing the waters

There is no limit or restriction on what can be run on a GitHub runner. These are temporary, sandboxed instances that will die once the job is completed. We ran LinPEAS on one instance, which shows that there likely isn’t any kind of AV or EDR monitoring present in these instances.

LinPEAS
Running LinPEAS on a GitHub-Hosted runner.

A few interesting results from LinPEAS:

  • You are running as a user called runner
  • The instance is an Azure VM
  • SSH is open and listening on all interfaces
  • You have full sudo privileges
Full-sudo-rights
Full sudo rights

So, GitHub provides you an Azure VM with full sudo rights. There is no sign of any kind of AV or EDR (at least on Linux runners). It is evident that these runners are meant to be use-and-throw instances.

Unintended Use Cases

Scanning targets with nuclei

You might want to avoid doing this. We did this purely for educational purposes and to satisfy our curiosity. We take no responsibility if you use this for any illegal activities. That being said, you can run nuclei scans directly via GitHub Actions.

Workflow-nuclei-scans
Workflow to run nuclei scans

You can check the results live as the workflow runs in the action logs.

nuclei-scan-results
nuclei scan live results in action logs

Once complete, the scan results are uploaded as an artifact. You can access them once the job is completed.

scan-results
Scan results are uploaded as artifacts.

Running SAST scans on third-party code

We ran scans on Jenkins plugins with Semgrep on GitHub Runners. Since there is a limit of 256 parallel jobs, we wrote our action in a way that it picks 10 random plugins and runs a scan on them.

SAST-scans
Workflow file to run SAST scans with Semgrep
semgrep-SAST
semgrep SAST

Running SAST scans on Jenkins Plugins GitHub Actions are freely available for standard GitHub-hosted runners in public repositories, as well as for self-hosted runners. For private repositories, GitHub provides each account with a set number of free minutes and storage, which varies depending on the account’s plan. Usage exceeding these limits is regulated by spending controls. It’s worth noting that these resources can sometimes be used in ways that may not align with GitHub’s original intentions.

Subscribe to our Newsletter
Subscription Form

Youtube Linkedin Facebook Twitter Instagram Telegram
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in your inbox

Ebook Download

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Mobile Sample Report

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Web App Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trade Ledger takes privacy and security of it’s customers and system very seriously. We needed an independent audit to check our systems, and wanted to partner with a team that understands the compliance environment of banks.
MARTIN MECCAN
MARTIN MECCANCEO - TradeLedger Australia

Trusted by