Researchers expose GitHub Actions workflows as risky and exploitable
GitHub is an immensely popular platform, with over 100 million developers and over 90% of Fortune 100 companies utilizing it. Despite its widespread use, many GitHub Actions workflows remain insecure, often due to excessive privileges or high-risk dependencies.
In this Help Net Security video, Roy Blit, Head of Research at Legit Security, discusses a new Legit Security State of GitHub Actions Security report. The report unveils an especially concerning security posture and reveals that most workflows are insecure, overly privileged, and have risky dependencies.
The report’s key findings include:
- Researchers uncovered the interpolation of untrusted input in more than 7,000 workflows, the execution of untrusted code in over 2,500 workflows, and the use of untrustworthy artifacts in 3,000-plus workflows.
- Legit Security examined triggers, jobs, steps, runners, and permissions, uncovering significant risks: 98.4% of references do not follow the best practice of dependency pinning, and 86% of workflows do not limit token permissions.
- Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and a single developer maintains most.