Legit Security has published its new State of GitHub Actions Security report, which unveils an especially concerning security posture and reveals that most workflows are insecure, overly privileged, and have risky dependencies.
Legit’s researchers explore multiple aspects of GitHub Actions security, including vulnerabilities found in GitHub Actions workflows, protection of the building blocks of GitHub Actions workflows, and security of custom GitHub Actions. Most of the Actions there are not verified, maintained by one developer, and have low-security scores based on the OpenSSF Scorecard.
The report’s key findings include:
- Researchers uncovered interpolation of untrusted input in more than 7,000 workflows, execution of untrusted code in over 2,500 workflows, and use of untrustworthy artifacts in 3,000-plus workflows.
- Legit examined triggers, jobs, steps, runners, and permissions, uncovering significant risks: 98.4% of references do not follow the best practice of dependency pinning; 86% of workflows do not limit token permissions.
- Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and a single developer maintains most.
You can view the report here.
Like this:
Like Loading...
Related
This entry was posted on July 16, 2024 at 9:00 am and is filed under Commentary with tags Legit Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New State of GitHub Actions Security: Researchers Expose Most Workflows Risky, Insecure, Exploitable
Legit Security has published its new State of GitHub Actions Security report, which unveils an especially concerning security posture and reveals that most workflows are insecure, overly privileged, and have risky dependencies.
Legit’s researchers explore multiple aspects of GitHub Actions security, including vulnerabilities found in GitHub Actions workflows, protection of the building blocks of GitHub Actions workflows, and security of custom GitHub Actions. Most of the Actions there are not verified, maintained by one developer, and have low-security scores based on the OpenSSF Scorecard.
The report’s key findings include:
You can view the report here.
Share this:
Like this:
Related
This entry was posted on July 16, 2024 at 9:00 am and is filed under Commentary with tags Legit Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.