GitHub, the open-source developers’ paradise, is no longer what it used to be. After years of increasing calls that attackers are leveraging the platform to distribute and sneak in malware, a new report reached a shocking conclusion.
The Legit Security report found that most GitHub Actions are not created by verified users, are not maintained, have vulnerabilities, and have very low-security scores.
Roy Blit, Head of Research at Legit Security, spoke about the dangers that this represents for companies everywhere, in a press release.
“GitHub is an extremely popular platform. In fact, more than 100 million developers and over 90% of Fortune 100 companies use it.
“However, despite its popularity, most GitHub Actions workflows are insecure in some way — from being overly privileged to having high-risk dependencies.
“For instance, our past research found even projects from global enterprises like Google and Apache are flawed. These findings are alarming because GitHub Actions provide the key to critical infrastructure.
“They are connected to an organization’s source code and their deployment environment, so once exploited, the organization is completely in the attacker’s hands.”
Key Takeaways
- A new report suggests GitHub Actions pose a security risk — a large portion of GitHub Actions are not created by verified users, lack maintenance, and have vulnerabilities.
- The scale of the problem is significant, with worrying trends like untrusted code execution in thousands of workflows and insecure dependency management.
- While GitHub can improve platform security, developers must prioritize secure coding practices and utilize built-in security features within Actions.
- Alternatives exist, but due diligence is key. Exploring alternatives like GitLab or self-hosted options comes with its own security considerations.
Stats of GitHub Actions ‘Beyond Expectations’
In their investigation Legit Security also uncovered interpolation of untrusted input in more than 7,000 workflows, execution of untrusted code in over 2,500 workflows, and use of untrustworthy artifacts in 3,000-plus workflows.
Of the 19,113 custom GitHub Actions, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates, the average OSSF security score was 4.23 out of 10, and most repositories are maintained by a single developer.
Techopedia spoke to Legit Security’s Roy Blit, who spoke about the surprising takeaways of the GitHub report.
“We knew that we’re probably going to find a lot of cases of insecure workflows and Actions, but we didn’t expect this to be so prevalent. The statistics we found were beyond expectations.”
GitHub Resources’ Integrity History Overshadowed
Reports that question GitHub’s resources’ integrity are nothing new. To cite just a couple of examples, Bitdefender reported in 2022 that thousands of PoC exploits on GitHub were laced with malware, and in 2023 Aqua Nautilus found that millions of GitHub repositories were potentially vulnerable to ‘RepoJacking’.
Blit from Legit Security discussed this historic GitHub trend and why their recent report is unique.
“Indeed, GitHub has been under security research for quite some time. However, this research is focused specifically on GitHub Actions — the CI/CD [continuous integration and continuous deployment] service offered by GitHub,” Blit said.
“We’ve conducted a thorough investigation of different aspects of GitHub Actions, which hasn’t been done before to this extent, and it is important to educate the open source community on this matter to prevent attackers from taking over the CI/CD pipelines of critical projects.”
Vaibhav Malik, Global Partner Solutions Architect Leader at Cloudflare, expressed shock at the extent of the findings of this new report to Techopedia:
“One of the most shocking findings is the sheer scale of potential vulnerabilities. The research uncovered interpolation of untrusted input in over 7,000 workflows and execution of untrusted code in over 2,500 workflows.”
“Given GitHub’s widespread use among developers and major companies, the potential impact of these vulnerabilities is concerning,” Malik said.
“Additionally, it is alarming that 98% of references used by jobs and steps don’t follow best practices for dependency pinning. This leaves many workflows potentially exposed to unexpected changes or updates.”
Malik explained that the findings are particularly relevant because they highlight vulnerabilities in GitHub Actions, which have become critical to many organizations’ development and deployment pipelines.
“Unlike previous security concerns that may have focused on repository access or code integrity, these vulnerabilities could allow attackers to manipulate the automated processes that build, test, and deploy code.”
Alternatives for Developers Looking to Play Pro and Safe
While GitHub remains a major player, there are other options for code hosting and collaboration. Those not-so-die-hard GitHub fans may be thinking, for example, moving on to cloud-based options like AWS CodeCommit, Azure DevOps Server (for Microsoft environments) or trying out other platforms like Bitbucket, or GitLab, a strong competitor with similar features.
But Blit from Legit Security says developers and companies might need to consider other factors.
“Most of the risks presented in this research are actually relevant to almost all CI/CD services out there. For example, pinning dependencies to a specific version (to prevent it from being changed without the developer’s knowledge) is important, no matter which CI service you’re using. Developers just need to keep in mind to work according to best practices and avoid the security pitfalls presented in the report.”
Malik from Cloudflare told Techopedia that based on the research findings, developers should consider the following actions:
- Implement stricter security practices when writing GitHub Actions workflows, especially regarding the handling of secrets and prevention of code injection.
- Be more cautious when using third-party Actions from the marketplace. Prioritize Actions from verified creators and those with higher security scores.
- Utilize GitHub’s built-in features for controlling GitHub Actions behavior to enforce best practices.
Awareness of the state of GitHub resources and knowing the risks associated with GitHub Actions, as well as integrating additional security tools, is also a good idea moving forward. Malik spoke about those looking for new platforms.
“For alternatives, developers might consider other CI/CD platforms with potentially stronger security features, or look into self-hosted runners and custom action implementations that allow for tighter control over the execution environment. However, any alternative should be carefully evaluated for its own potential security implications.”
The Bottom Line
The report from Legit Security is a wake-up call for developers and organizations relying on GitHub Actions. The convenience of these automated tools comes with a security risk, especially considering the prevalence of unmaintained actions and insecure coding practices.
This doesn’t mean abandoning GitHub altogether. However, it’s crucial to prioritize security when using Actions, and the recommendations from both Blit and Malik offer a clear roadmap: stricter security practices, responsible third-party action selection, and leveraging built-in security features.
For those seeking the tightest control, exploring alternative CI/CD platforms or self-hosted solutions might be an option. But remember, security is a constant battle anywhere you go. Ultimately, a combination of awareness, best practices, and potentially additional security tools is what will keep your development pipelines safe.