When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along?

Node.js, the most popular JavaScript runtime in the world, uses a set of triplets to execute its CI/CD pipelines: a GitHub App, GitHub Actions workflows, and Jenkins pipelines. Like many children, parenting can be a challenge.

Recently, we dove into Node.js’ CI/CD pipelines during vulnerability research. Our investigation revealed gaps that exposed their family of DevOps platforms to remote code execution on internal Jenkins agents and a potential supply chain attack.

Click to read the full blog that I wrote for Praetorian.