Legit Security
State of GitHub Actions Security Report
Pages
31
Time to read
22 mins
Publication
Language
English
Pages
31
Time to read
22 mins
Publication
Language
English
This technical report presents an analysis of security vulnerabilities in GitHub Actions workflows. The research, conducted by Legit Security, identifies several key vulnerabilities, including interpolation of untrusted input, execution of untrusted code, and the use of untrusted artifacts. The report outlines the risks associated with these vulnerabilities, emphasizing the potential for attackers to compromise organizations through insecure workflows. It documents findings from an analysis of 2.5 million GitHub Actions workflow files across 553,000 organizations and personal users. The report also discusses the security posture of custom GitHub Actions, revealing that a significant percentage are maintained by single developers and contain vulnerable dependencies. Recommendations for mitigating these risks include enforcing best practices for GitHub Actions and thoroughly vetting custom Actions before use. The report serves as a critical resource for understanding the security landscape of GitHub Actions and provides actionable guidance for developers.