Oh, and if anyone with write access to your repositories had their GH/BB account linked to their DockerHub account, your source code could be compromised.
AFAIK the only way to check is to ask every person who has write access and hope they tell the truth.
Honestly, everyone should probably check their repos for recent activity / commits.
We need more fine-grained permissions for things like this. Principle of Least Authority, people.
I haven't seen anyone mention that Docker Hub's automatic build integration requires either "Owner"-level permissions on your organization or "Admin"-level permissions on the individual repository. Based on the GitHub-side audit log, Docker Hub seems to be using this access to add deploy keys to your repository, but this isn't mentioned in the documentation (which is why we had to go spelunking in the audit log), and if you try to take a least-privilege approach and grant only the read-only access that Docker Hub should require, your GitHub repository will simply not appear in the list of available repositories when you try to configure an automatic build.
Lots of people may have exposed credentials to Docker Hub that can do much more than disclose proprietary source code.
Signed commits would be useful, right? I don’t know much about GitHub permissions, but I’ve skimmed GitLab’s. Why would Docker hub have write access to the repo? Is there really no read only access for repos?
They have a lot of scopes compared to GitLab (https://developer.github.com/apps/building-oauth-apps/unders...). I find it crazy that anyone would click authorize on a 3rd party app with the repo scope without having a way to (easily) identify unauthorized commits.
A lot of developers are in a hurry and interested mainly in getting their builds to work so they can move on to the thing they actually care about. They don't think about the potential consequences of the easiest thing they did to make it work.
This is how a sizable number of security incidents happen. The easiest thing to do is reckless, so people do it.
AFAIK the only way to check is to ask every person who has write access and hope they tell the truth.
Honestly, everyone should probably check their repos for recent activity / commits.
We need more fine-grained permissions for things like this. Principle of Least Authority, people.
Now is a good time to review authorized application https://github.com/settings/installations and if you're part of a GitHub organization I highly recommend setting up OAuth application restrictions https://help.github.com/en/articles/about-oauth-app-access-r...