TeamCity github integration. Restrict trigger execution for specific group of users.
Hi
We have Team City Professional 9.1.3 (build 37176).
It works with github projects.
We configured VCS triggers to make a validation task each time new PR created or code merged to master.
Configuration works but it looks like its security loophole.
If a hacker creates phoney PR with malicious code in one of the tests , such PR will trigger project to be executed on Team City server which will checkout and execute malicious test, which is javascript code that can be anything atacker would want and it runs in our internal network.
Is there any way to integrate user management on github and TeamCity that we could use PR author information from github to restrict job execution on TeamCity , because it does not belong to group of internal developers?
Did you come across such problem before? What is the proper way to deal with such problem?
Thanks
Please sign in to leave a comment.
Hello,
At the moment here is no special user management on TeamCity side. VCS trigger builds all the pull requests, because it doesn’t know anything about GitHub. To build only new ones we probably need a dedicatedGitHub trigger that watches pull requests in repository. It can also run the builds only for pull requests from the specified trusted users, solving security problem. Please feel free to create a feature request in our tracker: https://youtrack.jetbrains.com/issues/TW.
Perhaps you can run builds on agent in docker container, it should help to isolate build from agent environment.