Paper published in a book (Scientific congresses and symposiums)
Mitigating Security Issues in GitHub Actions
Onsori delicheh, Hassan; Mens, Tom
2024 • In 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability (EnCyCriS/SVM '24)
Owner grants to ACM an exclusive, worldwide, royalty-free, perpetual, irrevocable, transferable and sublicenseable license to publish, reproduce and distribute all or any part of the Work in any and all forms of media, now or hereafter known, including in the above publication and in the ACM Digital Library, and to authorize third parties to do the same.
[en] Collaborative practices have revolutionised the software development process, enabling distributed teams to seamlessly work together. Social coding platforms have integrated CI/CD automation workflows, with GitHub Actions emerging as a prominent automation ecosystem for GitHub repositories. While automation brings efficiency, it also introduces security challenges, often related to software supply chain attacks and workflow misconfigurations. We outline the security issues associated with the software supply chain of GitHub Actions workflows, most notably their reusable Actions and their dependencies. We also explore the security risks associated with misconfigurations of repositories and workflows, such as poor permission management, command injection, and credential exposure. To mitigate these risks we suggest practical remediations, including dependency and security monitoring, pinning Actions, strict access control, verified creator practices, secret scanning tools, raising awareness, and training. In doing so, we provide valuable insights on the need to integrate security seamlessly into the automated collaborative software development processes. To enhance the security of workflow automation within GitHub repositories we encourage a proactive approach and advocate for the adoption of best practices.
Disciplines :
Computer science
DOI :
10.1145/3643662.3643961
Author, co-author :
Onsori delicheh, Hassan ; Université de Mons - UMONS > Faculté des Science > Service de Génie Logiciel
Mens, Tom ; Université de Mons - UMONS > Faculté des Sciences > Service de Génie Logiciel
Language :
English
Title :
Mitigating Security Issues in GitHub Actions
Publication date :
15 April 2024
Event name :
2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM 2nd International Workshop on Software Vulnerability
Event organizer :
ACM/IEEE
Event place :
Lisbon, Portugal
Event date :
April 15, 2024
Audience :
International
Main work title :
2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability (EnCyCriS/SVM '24)
