Critical Supply Chain Risk: Kubescape Repository Exposes 24 Exploitable GitHub Action Vulnerabilities

A critical supply chain vulnerability has been verified as exploitable within the official `slashben/kubescape` GitHub repository, a key security tool for Kubernetes. The finding, escalated from HIGH to CRITICAL severity, reveals that every single one of the repository's 24 GitHub Action references uses mutable tags, creating a direct path for attackers to inject malicious code into the project's CI/CD pipeline. This flaw, categorized under OWASP CI/CD-SEC-3, means the build process for Kubescape itself is fundamentally compromised, allowing a threat actor to hijack the tool's development and distribution infrastructure.

The vulnerability, identified as TAG-001, was confirmed through automated pentesting that analyzed the repository via the GitHub API. The analysis pinpointed specific, widely-used actions—including `actions/checkout@v4`, `actions/setup-go@v5`, and `docker/setup-buildx-action@v3`—that are referenced by lightweight, mutable tags instead of immutable commit hashes. This common misconfiguration leaves the repository's automated workflows open to a classic software supply chain attack: if a maintainer of any upstream action were compromised or maliciously updated a tag, the Kubescape project would automatically and silently pull in the tainted code during its next build.

The implications are severe for downstream users and the broader Kubernetes security ecosystem. Kubescape is a foundational open-source security scanner; a compromised build could lead to the distribution of a malicious binary to all its users, effectively weaponizing a trusted security tool. This incident serves as a stark, verified example of how critical infrastructure projects can themselves become critical vulnerabilities, underscoring the pervasive risk of unpinned dependencies in even the most security-conscious codebases.