Security News > 2024 > July > Most GitHub Actions workflows are insecure in some way

The report found the GitHub Actions marketplace's security posture to be especially concerning, with most custom Actions not verified, maintained by one developer, or generating low-security scores based on OpenSSF Scorecard.

Insecure GitHub Actions could allow attackers to compromise open-source and initiate supply chain attacks or use them as an initial attack vector into organizations that use GitHub.

"However, despite its popularity, most GitHub Actions workflows are insecure in some way - from being overly privileged to having high-risk dependencies. For instance, our past research found even projects from global enterprises like Google and Apache are flawed. These findings are alarming because GitHub Actions provide the key to critical infrastructure. They are connected to an organization's source code and their deployment environment, so once exploited, the organization is completely in the attacker's hands," added Blit.

Legit found the security status of Actions developed by the community to enhance GitHub Actions capabilities concerning.

Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and most are maintained by a single developer.

Organizations should use GitHub's built-in features for controlling GitHub Actions behavior to enforce best practices and leverage security tools that integrate seamlessly with GitHub for continuous security scanning.

News URL

https://www.helpnetsecurity.com/2024/07/17/insecure-github-actions-workflows/