DeepAI AI Chat
Log In Sign Up

Automatic Security Assessment of GitHub Actions Workflows

by   Giacomo Benedetti, et al.
Università di Genova

The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.


page 3

page 4

page 7


Software supply chain: review of attacks, risk assessment strategies and security controls

The software product is a source of cyber-attacks that target organizati...

Automatic Detecting Unethical Behavior in Open-source Software Projects

Given the rapid growth of Open-Source Software (OSS) projects, ethical c...

An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories

In open-source projects, anyone can contribute, so it is important to ha...

Reproducible Builds: Increasing the Integrity of Software Supply Chains

Although it is possible to increase confidence in Free and Open Source S...

GitHub Actions: The Impact on the Pull Request Process

Automated tools are frequently used in social coding repositories to per...

Topical: Learning Repository Embeddings from Source Code using Attention

Machine learning on source code (MLOnCode) promises to transform how sof...

Repository for Reusing Artifacts of Artificial Neural Networks

Artificial Neural Networks (ANNs) replaced conventional software systems...