Get details on Legit's research on the security of GitHub Actions.
I’m happy to announce the publication of a new report from the Legit research team, The State of GitHub Actions Security. This report highlights our findings and conclusions after analyzing 2,500,000 GitHub Actions workflow files belonging to 553,000 organizations and personal users. Ultimately, we found the state of GitHub Actions security lacking, and organizations should take at least the following steps to mitigate the risk:
- Create a list of allowed third-party Actions
- Configure default permission for workflow tokens to be the least privileged
- Determine where GitHub Actions can approve pull requests
- Control which users can execute workflows
We share highlights of the data and our analysis below. You can download the full report here.
What are GitHub Actions?
GitHub Actions add automation to the software development lifecycle on GitHub via event-driven triggers. These triggers are specified events that can range from creating a pull request to building a new branch in a repository.
What did this research entail?
This research explores multiple aspects of GitHub Actions security, including:
- How developers write GitHub Actions workflows and whether they adhere to best practices
- The GitHub Actions marketplace (where developers upload Actions for public use) and the security posture of the Actions published there
- Recommendations on best practices and how to avoid the risks outlined throughout this research
What were the notable findings?
Most GitHub Actions workflows are insecure in some way; they are overly privileged, have risky dependencies, etc. Past Legit research reveals that even projects from enterprises like Google and Apache are flawed.
The Legit research team discovered the following vulnerabilities in thousands of GitHub Actions workflows:
- Interpolation of untrusted input
- Execution of untrusted code
- Using untrustworthy artifacts
When examining the building blocks of GitHub Actions workflows (triggers, jobs, steps, runners, and permissions), the team found significant risks, including:
- 98.4% of references used by jobs and steps are not following the best practice of dependency pinning
- 86% of workflows do not limit token permissions
The security of custom GitHub Actions (those developed by the community to enhance GitHub Actions capabilities) is especially concerning. Most of the Actions there are not verified, maintained by one developer, and have low security score based on OpenSSF Scorecard.
Of the 19,113 custom GitHub Actions in the marketplace:
- Only 913 were created by verified GitHub users
- 18% had vulnerable dependencies
- 762 are archived and don’t receive regular updates or vulnerability fixes
- 4.23 was the average OSSF security score (out of 10)
- Most are maintained by a single developer
Why are these findings concerning?
The risk companies face from insecure GitHub Actions use is significant.
GitHub Actions provide the key to a company’s most critical infrastructure. They are connected both to an organization’s source code and to their deployment environment, meaning that once exploited by attackers, the organization is completely in the attacker’s hands.
The lack of dependency pinning the Legit team identified is especially concerning. Dependency pinning specifies which package or library an Action can rely on. A famous example of the danger of using third-party software without dependency pinning is the CodeCov breach where attackers were able to modify the CodeCov CI script to exfiltrate the CI runner environment variable.
How can teams use this research?
Use this research to better understand:
- GitHub Actions and how they work
- The GitHub Actions attack surface
- Risks and mitigations when writing GitHub Actions
- Risks when using GitHub Custom Actions
Download The State of GitHub Actions Security.