GitHub Actions is the weakest link
6 hours ago
- #GitHub Actions
- #Open Source Vulnerabilities
- #Supply Chain Security
- GitHub Actions workflows are a common entry point for open source supply chain attacks, with features like pull_request_target and issue_comment triggers enabling untrusted code execution.
- Incidents include spotbugs, Ultralytics, nx, tj-actions, Trivy, and elementary-data, exploiting mutable tags, cache poisoning, and secret leaks due to default write permissions.
- Key vulnerabilities involve unpinned action tags, dangerous triggers, template injection, and lack of permissions blocks, with many workflows resembling GitHub's documentation examples.
- Third-party tools like zizmor can audit workflows, but GitHub's security roadmap includes opt-in fixes like lockfiles and policy controls, though defaults remain unchanged.
- Trusted publishing via OIDC in package registries shifts security reliance to GitHub Actions, concentrating risk on a platform lacking built-in integrity measures.
- Recommendations include pinning SHAs, setting permissions blocks, and using linters, as breaking changes to defaults could prevent many incidents.