Boston, MA – July 16, 2024 – Legit Security, the leading platform for enabling companies to manage their application security posture across the complete developer environment, today announced its newest report, The State of GitHub Actions Security, which analyzes the security posture of GitHub Actions workflows and custom GitHub Actions. The report found the GitHub Actions marketplace’s security posture to be especially concerning, with most custom Actions not verified, maintained by one developer, or generating low-security scores based on OpenSSF Scorecard.
“GitHub is an extremely popular platform. In fact, more than 100 million developers and over 90% of Fortune 100 companies use it,” said Roy Blit, Head of Research at Legit Security. “However, despite its popularity, most GitHub Actions workflows are insecure in some way – from being overly privileged to having high-risk dependencies. For instance, our past research found even projects from global enterprises like Google and Apache are flawed. These findings are alarming because GitHub Actions provide the key to critical infrastructure. They are connected to an organization’s source code and their deployment environment, so once exploited, the organization is completely in the attacker’s hands.”
GitHub has quickly become an essential resource for the developer community by enabling developers to work together on development projects and see each other’s changes in real-time. GitHub Actions adds automation to the software development lifecycle through event-driven triggers. These triggers are specified events that range from creating a pull request to building a new branch in a repository. Not surprisingly, GitHub users continue to grow, with 4-plus million organizations and more than 420 million repositories, with over 28 million public, as of January 2023.
To mitigate risks, organizations must prioritize educating their development and operations teams about the security risks associated with GitHub Actions, including proper handling of secrets, dangers of code injection, and best practices for using third-party Actions. Additionally, organizations should use GitHub’s built-in features for controlling GitHub Actions behavior to enforce best practices and leverage security tools that integrate seamlessly with GitHub for continuous security scanning.
Legit’s report gives organizations a better understanding of GitHub Actions and how they work, their attack surface and risks, mitigations when writing GitHub Actions workflows, and risks when using custom Actions. To download the full report, visit https://info.legitsecurity.com/the-state-of-github-actions-security.
Legit analyzed 2,500,000 GitHub Actions workflow files belonging to 553,000 organizations and personal users to explore multiple aspects of GitHub Actions security, including how developers write GitHub Actions workflows and whether they adhere to best practices, and GitHub Actions marketplace’s security posture.
Legit is a new way to manage your application security posture for security, product and compliance teams. With Legit, enterprises get a cleaner, easier way to manage and scale application security, and address risks from code to cloud. Built for the modern SDLC, Legit tackles the toughest problems facing security teams, including GenAI usage, proliferation of secrets and an uncontrolled dev environment. Fast to implement and easy to use, Legit lets security teams protect their software factory from end to end, gives developers guardrails that let them do their best work safely, and delivers metrics that prove the success of the security program. This new approach means teams can control risk across the business – and prove it.
Media Contact:
Michelle Yusupov
Hi-Touch PR
443-857-9468
yusupov@hi-touchpr.com