Object Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. Learn more about bypassing certain OGNL injection protection mechanisms including those used by Struts and Atlassian Confluence, as well as different approaches to analyzing this form of protection so you can harden similar systems.
Today, we are introducing two new features for GitHub Actions to help standardize policies and reduce duplication, required workflows and configuration variables. Read on for what this means for your DevOps processes.
Required workflows in GitHub Actions are now available in public beta.
Required workflows allows DevOps teams to define and enforce standard CI/CD practices across many source code repositories within an organization without needing to configure each repository individually, which becomes an impossible task in large organizations. In addition to reducing duplication of CI/CD configuration code, required workflows can also help organizations with the following use cases:
- Security: invoke external vulnerability scoring or dynamic analysis tools.
- Compliance: ensure that all code meets an enterprise’s quality standards.
- Deployment: ensure that code is continuously deployed in a standard way.
Organization admins can configure required workflows to run on all or selected repositories within the organization.
Required workflows will be triggered as required status checks for all the pull requests opened on the default branch, which blocks the ability to merge the pull request until the required workflow succeeds. Individual development teams at the repository level will be able to see what required workflows have been applied to their repository.
Until today, you needed to store all the configuration data as encrypted secrets in order to reuse values in workflows. While extremely secure, this method did not allow for easy storage and retrieval of non-sensitive configuration data such as compiler flags, usernames, server names, etc. While we were developing required workflows, we heard feedback from customers about the need for parameterization to allow local repositories to override certain values in the required workflows.
To help you with standardizing your required workflows, today, we are also adding support for configuration variables.
Configuration variables allow you to store your non sensitive data as plain text variables that can be reused across your workflows in your repository or organization. You can define variables at Organization, Repository, or Environment level based on your requirement.
You no longer have to spend hours configuring hundreds of repositories to protect your critical software assets. Required workflows along with reusable workflows, configuration variables, and secrets will help you apply a consistent set of standards across many repositories with just a couple of clicks. Do, try it out and share your feedback.