Most GitHub Actions workflows are insecure in some way

Most GitHub Actions are susceptible to exploitation; they are overly privileged or have risky dependencies, according to Legit Security.

GitHub Actions security flaws pose major risks

The report found the GitHub Actions marketplace’s security posture to be especially concerning, with most custom Actions not verified, maintained by one developer, or generating low-security scores based on OpenSSF Scorecard.

GitHub Actions security is an important aspect of open-source security. Insecure GitHub Actions could allow attackers to compromise open-source and initiate supply chain attacks or use them as an initial attack vector into organizations that use GitHub.

“GitHub is an extremely popular platform. In fact, more than 100 million developers and over 90% of Fortune 100 companies use it,” said Roy Blit, Head of Research at Legit Security.

“However, despite its popularity, most GitHub Actions workflows are insecure in some way – from being overly privileged to having high-risk dependencies. For instance, our past research found even projects from global enterprises like Google and Apache are flawed. These findings are alarming because GitHub Actions provide the key to critical infrastructure. They are connected to an organization’s source code and their deployment environment, so once exploited, the organization is completely in the attacker’s hands,” added Blit.

GitHub has quickly become an essential resource for the developer community by enabling developers to work together on development projects and see each other’s changes in real-time. GitHub Actions adds automation to the software development lifecycle through event-driven triggers. These triggers are specified events that range from creating a pull request to building a new branch in a repository.

Not surprisingly, GitHub users continue to grow, with 4-plus million organizations and more than 420 million repositories, with over 28 million public, as of January 2023.

Vulnerabilities found in GitHub Actions workflows

Researchers uncovered interpolation of untrusted input in more than 7,000 workflows; execution of untrusted code in over 2,500 workflows; and use of untrustworthy artifacts in 3,000-plus workflows.

Legit examined triggers, jobs, steps, runners, and permissions, uncovering significant risks. For example, 98% of references used by jobs and steps do not follow the best practice of dependency pinning (which guards against unexpected changes or updates), and 86% of workflows do not limit token permissions.

Legit found the security status of Actions developed by the community to enhance GitHub Actions capabilities concerning. Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and most are maintained by a single developer.

Educating teams on GitHub Action security

Custom Actions developers, like any open source developer, are not obligated to publish a CVE for a vulnerability found in their code, and sometimes they explicitly refuse to do so.

The number of contributors to a custom Action strongly reflects its credibility. A higher number of contributors indicates broader community involvement and active development. This collaborative effort leads to increased security, testing, and overall quality.

Unfortunately, most of the GitHub Actions in the marketplace are maintained by a single developer. This could be the case because many custom Actions have small scopes and don’t require a lot of effort to create and maintain.

To mitigate risks, organizations must prioritize educating their development and operations teams about the security risks associated with GitHub Actions, including proper handling of secrets, dangers of code injection, and best practices for using third-party Actions.

Additionally, organizations should use GitHub’s built-in features for controlling GitHub Actions behavior to enforce best practices and leverage security tools that integrate seamlessly with GitHub for continuous security scanning.