Workbrew’s 2024 Security Audit with Trail of Bits
In the fall of 2024, Workbrew commissioned a Security Audit from reputable cybersecurity firm Trail of Bits.
The scope of the audit consisted of:
- The Workbrew console (Rails-based application)
- The Workbrew endpoint agent (Go-based, with integrations into brew)
- The Workbrew installer (macOS installer with associated shell scripts)
The audit focused on reviewing the Workbrew update mechanisms, remote brew command execution, filesystem access controls preventing unauthorized access (by a non-root user), as well as checking for exposure of sensitive system secrets.
- Items found - 9
- Items resolved - 7
- Items in progress/partially resolved - 2
Findings by severity:
- Informational: 3
- Low: 4
- Medium: 1
- Undetermined: 1
Additionally, Homebrew underwent an in-depth security audit in 2023, and interested parties can read that report from Trail of Bits here.
To access the full Workbrew report, please visit our Security page.
Trail of Bits will be joining Workbrew for an upcoming webinar about security audits on March 25, and we'd love to see you there.
Code Block
#!/bin/bash
# Check for Homebrew in supported installation paths.
if [[ -x "/opt/homebrew/bin/brew" ]] ||
[[ -x "/usr/local/bin/brew" ]] ||
[[ -x "/home/linuxbrew/.linuxbrew/bin/brew" ]]
then
echo "Homebrew is installed."
exit 0
else
echo "Homebrew is not installed."
exit 1
fiIn the fall of 2024, Workbrew commissioned a Security Audit from reputable cybersecurity firm Trail of Bits.
The scope of the audit consisted of:
- The Workbrew console (Rails-based application)
- The Workbrew endpoint agent (Go-based, with integrations into brew)
- The Workbrew installer (macOS installer with associated shell scripts)
The audit focused on reviewing the Workbrew update mechanisms, remote brew command execution, filesystem access controls preventing unauthorized access (by a non-root user), as well as checking for exposure of sensitive system secrets.
- Items found - 9
- Items resolved - 7
- Items in progress/partially resolved - 2
Findings by severity:
- Informational: 3
- Low: 4
- Medium: 1
- Undetermined: 1
Additionally, Homebrew underwent an in-depth security audit in 2023, and interested parties can read that report from Trail of Bits here.
To access the full Workbrew report, please visit our Security page.
Trail of Bits will be joining Workbrew for an upcoming webinar about security audits on March 25, and we'd love to see you there.
3. IT Admins have questions. We weren’t sure what to expect, but so many folks had specific implementation queries. Others were curious about what Workbrew is up to. It was a non-stop flow of awesome conversations, and we ran out of Homebrew Cheat Sheets and Implementation Guides.
4. MacAd.UK has great bean bag chairs – the Chill-Out Zone was a super comfortable place to talk about CVEs.
5. The wonderful MacAdmins Foundation offers grants for folks who want to attend but aren’t in a position to fund the trip. For those looking to attend MacAdmins PSU, their applications are open.
A big thank you to the MacAD.UK team and we’re excited to be back next year.
If you missed it, check out Brandon’s talk on Balancing the Needs of IT, Security, & Engineering Teams at Scale
3. IT Admins have questions. We weren’t sure what to expect, but so many folks had specific implementation queries. Others were curious about what Workbrew is up to. It was a non-stop flow of awesome conversations, and we ran out of Homebrew Cheat Sheets and Implementation Guides.
4. MacAD.UK has great bean bag chairs – the Chill-Out Zone was a super comfortable place to talk about CVEs.
5. The wonderful MacAdmins Foundation offers grants for folks who want to attend but aren’t in a position to fund the trip. For those looking to attend MacAdmins PSU, their applications are open.
A big thank you to the MacAD.UK team and we’re excited to be back next year.
If you missed it, check out my talk on Balancing the Needs of IT, Security, & Engineering Teams at Scale
Code Block
#!/bin/bash
# Check for Homebrew in supported installation paths.
if [[ -x "/opt/homebrew/bin/brew" ]] ||
[[ -x "/usr/local/bin/brew" ]] ||
[[ -x "/home/linuxbrew/.linuxbrew/bin/brew" ]]
then
echo "Homebrew is installed."
exit 0
else
echo "Homebrew is not installed."
exit 1
fi