Site Favicon Avatar
How a Single Pull Request Can Turn Your CI/CD Pipeline Against You🚨
Back to all posts
securitydevsecopsci-cdgithub-actionssupply-chainself-hostedvps

How a Single Pull Request Can Turn Your CI/CD Pipeline Against You🚨

February 3, 2026
6 min read

Self-hosted runners are tempting: faster builds, cheaper minutes, custom tooling, access to private networks, and fewer limits. But that last part—access—is exactly why they can turn pull requests into a security nightmare.

A CI runner is not “just a build machine.” It’s a remote code execution endpoint that you schedule with YAML.

The core issue: PRs are untrusted code

When you run CI on a PR, you’re executing code written by someone who may be:

  • A new contributor
  • A compromised contributor account
  • A malicious actor from a fork
  • A bot-generated “helpful” PR

In other words: the PR is an attacker-controlled program. If that program runs on infrastructure you own (a VPS, a bare-metal server, your Kubernetes node), the PR can try to compromise that infrastructure.

Why self-hosted runners are riskier than GitHub-hosted runners

GitHub-hosted runners are designed around a simple security assumption: jobs can be hostile.

They reduce blast radius by providing (mostly) ephemeral, isolated, disposable environments with tightly controlled network boundaries.

Self-hosted runners often have the opposite properties:

  • Long-lived machines
  • Valuable credentials and caches
  • Access to internal networks
  • Reused workspaces
  • Extra permissions “to make things work”

That combination makes exploitation more impactful and persistence easier.

1) Persistence: a self-hosted runner is a place to hide

On a GitHub-hosted runner, the VM is torn down after the job. If an attacker drops a backdoor, it usually dies with the runner.

On a self-hosted runner, an attacker can:

  • Add cron jobs / systemd services
  • Modify startup scripts
  • Plant SSH keys
  • Install kernel modules / rootkits (if privileged)
  • Leave “sleeping” payloads that activate later

If your runner is a VPS you also use for other things (monitoring, reverse proxy, staging apps), the attacker just gained a long-lived foothold.

2) Secrets and tokens: PRs become a credential-harvesting pipeline

Even if GitHub protects secrets on forked PRs by default, self-hosted environments commonly leak credentials through:

  • Accidental echo/debug logs
  • Misconfigured workflows (e.g., pull_request_target misuse)
  • Shared caches or artifacts
  • Environment variables stored on the host
  • Cloud credentials mounted for “deployment” steps

Once an attacker steals:

  • A cloud API key
  • A container registry token
  • A GitHub PAT
  • A Kubernetes service account token

…your CI compromise becomes a supply-chain compromise.

3) Network access: self-hosted runners often sit inside the crown jewels

A self-hosted runner frequently has network reachability to:

  • Private databases
  • Internal services (Grafana, Vault, ArgoCD, Jenkins)
  • Metadata endpoints (cloud instance metadata)
  • Internal container registries
  • On-prem services or VPN-connected resources

A GitHub-hosted runner typically does not have this privileged network position.

So a malicious PR doesn’t just try to steal secrets—it can scan your internal network, exploit internal services, and pivot.

4) “Containerized self-hosted runner” is not the same as GitHub-hosted isolation

People often say: “It’s fine, our self-hosted runner runs inside Docker.”

That helps, but it’s not a silver bullet, because:

  • Containers share the host kernel
  • Many CI setups mount the Docker socket (/var/run/docker.sock) so the job can build images
  • Privileged containers (--privileged) are common for nested builds

If an attacker can talk to the Docker socket, they can often:

  • Start privileged containers
  • Mount the host filesystem
  • Extract host secrets
  • Escape into the host effectively as root

GitHub-hosted runners are built to assume this risk and tear down the host afterward. A self-hosted VPS does not.

5) Shared workspaces and caches can leak data across jobs

Self-hosted runners commonly reuse directories to speed things up.

That creates cross-job data exposure:

  • A malicious PR can read leftover files from prior builds
  • Cached package directories might contain private code or tokens
  • Build outputs can be exfiltrated via artifacts or outbound HTTP

GitHub-hosted runners are generally clean per job.

6) Runner registration is a trust boundary (and it’s easy to get wrong)

If an attacker can register their own runner into your org/repo (through leaked registration tokens or weak admin controls), they can:

  • Run jobs on their hardware
  • Observe job inputs
  • Potentially capture secrets in workflows that run on self-hosted

Runner security isn’t just “patch your box.” It’s also governance: who can register runners, and where workflows are allowed to run.

A realistic attack story: “harmless” PR → compromised runner → compromised org

Here’s how this often plays out:

  1. Attacker opens a PR that changes a “test” script.
  2. CI runs on a self-hosted runner.
  3. The script quietly:
    • Reads environment variables
    • Looks for ~/.ssh, ~/.npmrc, cloud creds, kubeconfig, registry auth
    • Contacts an external server to exfiltrate data
  4. Attacker uses stolen credentials to push a malicious package/image or modify infra.
  5. If the runner is persistent, attacker leaves a backdoor for future access.

Even without secrets, the attacker may still gain value by:

  • Mining crypto
  • Using your IP for scanning
  • Pivoting into internal services

When GitHub-hosted is safer (and usually the right default)

GitHub-hosted runners are generally safer for PRs because:

  • Fresh environment per job
  • Better isolation assumptions
  • Less exposure to your private network
  • No long-lived host to persist on

This doesn’t make GitHub-hosted “invulnerable,” but it shrinks the blast radius dramatically.

If you must use self-hosted runners: harden like it’s a production system

Sometimes you need self-hosted (special hardware, private dependency access, custom networking). If so, treat it like you’re hosting an execution platform for untrusted code.

Practical mitigations:

  • Never run untrusted PRs on self-hosted: restrict self-hosted runners to trusted branches, protected environments, or maintainers-only workflows.
  • Use ephemeral runners: auto-scale VMs/containers per job and destroy them after (don’t reuse workspaces).
  • Split networks: runners should not have direct access to prod databases or admin panels.
  • Assume secrets will leak: use short-lived credentials (OIDC), least privilege, and rotate aggressively.
  • Avoid Docker socket mounts: prefer rootless builds (BuildKit, Kaniko, remote builders) instead of giving jobs host-level container control.
  • Lock down workflow triggers: be extremely careful with pull_request_target, workflow_run, and any pattern that executes PR-controlled code with elevated permissions.
  • Pin actions and dependencies: use commit SHAs for actions, verify provenance, and reduce supply-chain injection risk.
  • Monitor and alert: outbound network spikes, new processes, unexpected binaries, and runner configuration changes should page you.

Final thoughts

Self-hosted runners aren’t “bad.” They’re just high consequence.

If a GitHub-hosted runner gets popped during a PR build, the attacker usually loses the machine when the job ends.

If a self-hosted runner gets popped, you may be handing an attacker a durable foothold inside your network—and that’s how a PR can become a security nightmare.

Subscribe by email

Get new posts delivered to your inbox. No spam; unsubscribe anytime.

Open subscription form

If the form doesn’t load (some browsers block embedded forms), use the “Open subscription form” button.