Unpacking Security Scanners for GitHub Actions Workflows
Madjda Fares, Yogya Gamage, Benoit Baudry
TL;DR
This paper systematically compares nine security scanners for GitHub Actions workflows, revealing their diverse strategies, detection capabilities, and gaps, and provides practical recommendations for improving workflow security.
Contribution
It offers the first comprehensive comparison of GitHub Actions security scanners, analyzing their scope, detection ability, and performance on a large dataset of workflows.
Findings
Significant variation in scanner detection capabilities
Major gaps due to different analysis strategies
Actionable recommendations for workflow security
Abstract
GitHub Actions is a widely used platform to automate the build and deployment of software projects through configurable workflows. As the platform's popularity grows, it also becomes a target of choice for software supply chain attacks. These attacks exploit excessive permissions, ambiguous versions or the absence of artifact integrity checks to compromise the workflows. In response to these attacks, several security scanners have emerged to help developers harden their workflows. In this paper, we perform the first systematic comparison of 9 GitHub Actions Workflows security scanners. We compare them regarding scope (which security weaknesses they target), detection capabilities (how many weaknesses they detect), and performance (how long they take to scan a workflow). In order to compare the scanners on a common ground, we first establish a classification of 10 common security…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsScientific Computing and Data Management · Software Engineering Research · Web Application Security Vulnerabilities