Boston, MA – July 16, 2024 – Legit Security, the leading platform for enabling companies to manage their application security posture across the complete developer environment, today announced its newest report, The State of GitHub Actions Security, which analyzes the security posture of GitHub Actions workflows and custom GitHub Actions. The report found the GitHub Actions marketplace’s security posture to be especially concerning, with most custom Actions not verified, maintained by one developer, or generating low-security scores based on OpenSSF Scorecard.
“GitHub is an extremely popular platform. In fact, more than 100 million developers and over 90% of Fortune 100 companies use it,” said Roy Blit, Head of Research at Legit Security. “However, despite its popularity, most GitHub Actions workflows are insecure in some way – from being overly privileged to having high-risk dependencies. For instance, our past research found even projects from global enterprises like Google and Apache are flawed. These findings are alarming because GitHub Actions provide the key to critical infrastructure. They are connected to an organization’s source code and their deployment environment, so once exploited, the organization is completely in the attacker’s hands.”
GitHub has quickly become an essential resource for the developer community by enabling developers to work together on development projects and see each other’s changes in real-time. GitHub Actions adds automation to the software development lifecycle through event-driven triggers. These triggers are specified events that range from creating a pull request to building a new branch in a repository. Not surprisingly, GitHub users continue to grow, with 4-plus million organizations and more than 420 million repositories, with over 28 million public, as of January 2023.
The report's key findings include:
- Vulnerabilities found in GitHub Actions workflows: Researchers uncovered interpolation of untrusted input in more than 7,000 workflows; execution of untrusted code in over 2,500 workflows; and use of untrustworthy artifacts in 3,000-plus workflows.
- Security of the building blocks of GitHub Actions workflows: Legit examined triggers, jobs, steps, runners, and permissions, uncovering significant risks. For example, 98% of references used by jobs and steps do not follow the best practice of dependency pinning (which guards against unexpected changes or updates), and 86% of workflows do not limit token permissions.
- Security of custom GitHub Actions: Legit found the security status of Actions developed by the community to enhance GitHub Actions capabilities concerning. Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and most are maintained by a single developer.
To mitigate risks, organizations must prioritize educating their development and operations teams about the security risks associated with GitHub Actions, including proper handling of secrets, dangers of code injection, and best practices for using third-party Actions. Additionally, organizations should use GitHub’s built-in features for controlling GitHub Actions behavior to enforce best practices and leverage security tools that integrate seamlessly with GitHub for continuous security scanning.
Legit’s report gives organizations a better understanding of GitHub Actions and how they work, their attack surface and risks, mitigations when writing GitHub Actions workflows, and risks when using custom Actions. To download the full report, visit https://info.legitsecurity.com/the-state-of-github-actions-security.
Methodology
Legit analyzed 2,500,000 GitHub Actions workflow files belonging to 553,000 organizations and personal users to explore multiple aspects of GitHub Actions security, including how developers write GitHub Actions workflows and whether they adhere to best practices, and GitHub Actions marketplace’s security posture.
About Legit Security
Legit is a new way to manage your application security posture for security, product and compliance teams. With Legit, enterprises get a cleaner, easier way to manage and scale application security, and address risks from code to cloud. Built for the modern SDLC, Legit tackles the toughest problems facing security teams, including GenAI usage, proliferation of secrets and an uncontrolled dev environment. Fast to implement and easy to use, Legit lets security teams protect their software factory from end to end, gives developers guardrails that let them do their best work safely, and delivers metrics that prove the success of the security program. This new approach means teams can control risk across the business – and prove it.
Media Contact:
Michelle Yusupov
Hi-Touch PR
443-857-9468
yusupov@hi-touchpr.com