Automatic Security Assessment of GitHub Actions Workflows

18Citations
Citations of this article
30Readers
Mendeley users who have this article in their library.

Abstract

The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub). We developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.

Cite

CITATION STYLE

APA

Benedetti, G., Verderame, L., & Merlo, A. (2022). Automatic Security Assessment of GitHub Actions Workflows. In SCORED 2022 - Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, co-located with CCS 2022 (pp. 37–45). Association for Computing Machinery, Inc. https://doi.org/10.1145/3560835.3564554

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free