Due to the increasing number of supply chain attacks, we have disabled automatic GitHub synchronization within our NMM instance for both our own GitHub repositories and the Nerdio managed repository.
Because these scripts ultimately execute within customer environments, sometimes automatically VIA scheduled actions, we prefer to manually review all PowerShell script changes before they are synchronized into Nerdio and made available for execution. If a GitHub repository marked for automatic sync was ever compromised, automatic synchronization could introduce malicious scripts into NMM without any review.
The current workaround of manually synchronizing repositories is acceptable from a security perspective, but it limits visibility into available updates from within NMM. With that, my FR would be to introduce something similar to the current source tenant check for synced configuration policies.
From a security perspective, I believe the automatic sync functionality should evolve into the workflow below. If the current automatic sync behavior remains, these capabilities could instead be available whenever an administrator disables automatic synchronization.
- Nerdio periodically checks the linked GitHub repository for updates.
- If a newer version of a script is available, the script is marked as Outdated or Update Available.
- Administrators can view the differences between the current version and the latest GitHub version.
- Administrators can selectively synchronize individual scripts after reviewing the changes.
- No script content is updated automatically until an administrator explicitly approves the synchronization.
This will reduce the likelihood of unreviewed code changes being introduced into customer environments by requiring human review before updates are imported. It provides visibility into available updates without requiring manual repository checks outside NMM. Keeping the user in the product. It allows us to review and selectively synchronize individual scripts rather than synchronizing all repository changes at once. It also aligns the GitHub synchronization experience with the existing source tenant policy synchronization for configuration policies, Compliance Policies, etc. This enhancement would provide a strong balance between security and usability. Especially for organizations that require change review and approval.
Comments (0 comments)