Abstract
The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub). We developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.
Author supplied keywords
Cite
CITATION STYLE
Benedetti, G., Verderame, L., & Merlo, A. (2022). Automatic Security Assessment of GitHub Actions Workflows. In SCORED 2022 - Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, co-located with CCS 2022 (pp. 37–45). Association for Computing Machinery, Inc. https://doi.org/10.1145/3560835.3564554
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
