Automatic Security Assessment of GitHub Actions Workflows

TL;DR

This paper presents GHAST, a tool for automatically assessing security issues in GitHub Actions workflows, revealing nearly 25,000 vulnerabilities across open-source projects, highlighting a critical security concern in software supply chains.

Contribution

The paper introduces a novel security assessment methodology and tool for GitHub Actions workflows, providing empirical analysis of security issues in real-world projects.

Findings

Identified 24,905 security issues in 50 open-source projects

All issues were reported to stakeholders for remediation

Highlights the widespread security vulnerabilities in workflows

Abstract

The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.