The State of GitHub Actions Security
Most GitHub Actions workflows are insecure in some way — they are overly privileged, have risky dependencies, etc. Legit research reveals that even projects from enterprises like Google and Apache are flawed.
In addition, the GitHub Actions marketplace security posture is concerning. Most of the Actions there are not verified, maintained by one developer, and have low security scores based on OpenSSF Scorecard.
Why does this matter?
GitHub Actions security is an important aspect of open-source security. Insecure GitHub Actions could allow attackers to compromise open-source and initiate supply chain attacks or use them as an initial attack vector into organizations that use GitHub.
Download The State of GitHub Actions Security – based on an analysis of 2,500,000 GitHub Actions workflow files – to understand:
- GitHub Actions and how they work
- The GitHub Actions attack surface
- Risks and mitigations when writing GitHub Actions
- Risks when using GitHub Custom Actions