CI/CD & DevOps / Scenario

The Leaky Pipeline

A fork PR ran the test workflow and a base64 blob that decodes to the staging API key appeared in the logs. Reconstruct the breach and seal it.

Difficulty
Hard
Format
Scenario
Points
200
Estimate
15 min

// MISSION BRIEF

Your Mission

Security flagged run #2214: triggered by a first-time contributor's fork PR, and the log contains a suspicious base64 string. You have the workflow file and the log. Work out how the secret escaped, why the masking didn't save you, and what the fixed pipeline looks like.

Scoring: weighted decisions; the root-cause call counts double.

// FIRST CONTACT

Battle teaser

First artifact

.github/workflows/pr-tests.yml

The root cause of the leak:

  1. Avitest prints all environment variables by default
  2. BThe contributor guessed the API key and pasted it into the log
  3. Cpull_request_target runs with secrets available while the job checks out and EXECUTES untrusted fork code, so any PR can exfiltrate whatever the job can read
  4. Dactions/checkout@v4 has a known CVE
Answers, scoring, hints, and the full battle stay sealed.

// SKILL TAGS

ci-cdsecuritygithub-actionssecrets