Add more structured metadata fields for programmatic access of LOTP targets #386
+179
−56
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resolves the target file(s) an attacker should inject into when exploiting a pwn request vulnerability. Static targets use a lookup table (npm→package.json, make→Makefile, etc.), dynamic targets extract file paths via regex from step.run content. The field is an array (lotp_targets) to handle cases where a single run: block references multiple scripts. URL-based references are filtered out to only surface local repository files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fproulx-boostsecurity
changed the title
SUSTAPLE117
approved these changes
Feb 2, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request enhances the detection and reporting of "Living Off The Pipeline" (LOTP) tool usage by adding support for identifying and recording the specific target files associated with each LOTP tool invocation. The changes introduce a mapping and resolution logic for both static and dynamic LOTP targets, update the findings metadata to include these targets, and expand the test suite to validate the new functionality.
LOTP Target Resolution and Reporting Improvements:
lotp_static_targetsandlotp_dynamic_target_patterns) and a new utility functionresolve_lotp_targetsinutils.regoto determine the relevant target files for a wide range of LOTP tools, supporting both static file associations (likenpm→package.json) and dynamic pattern extraction (likebashscripts).untrusted_checkout_execrule to include a newlotp_targetsfield in findings metadata, using the resolved targets for each detected LOTP tool usage across GitHub Actions, Azure DevOps, and Tekton pipelines. [1] [2] [3] [4]FindingMetastruct in Go to include aLOTPTargetsfield, ensuring structured output of target files in scan results.Test Suite Enhancements:
inventory_test.goto check that the correctLOTPTargetsare reported for various LOTP tools, including cases with multiple targets and dynamic extraction from script content. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]test_new_fields.yml) to exercise and validate the multi-target extraction logic for tools likebashandchmod.These changes improve the precision and usefulness of pipeline security findings by associating each LOTP tool invocation with the exact files involved, aiding both automated analysis and manual review.