Researchers expose GitHub Actions workflows as risky and exploitable
GitHub is an immensely popular platform, with over 100 million developers and over 90% of Fortune 100 companies utilizing it. Despite its widespread use, many GitHub Actions workflows remain insecure, often due to excessive privileges or high-risk dependencies.
In this Help Net Security video, Roy Blit, Head of Research at Legit Security, discusses a new Legit Security State of GitHub Actions Security report. The report unveils an especially concerning security posture and reveals that most workflows are insecure, overly privileged, and have risky dependencies.
The report’s key findings include:
- Researchers uncovered the interpolation of untrusted input in more than 7,000 workflows, the execution of untrusted code in over 2,500 workflows, and the use of untrustworthy artifacts in 3,000-plus workflows.
- Legit Security examined triggers, jobs, steps, runners, and permissions, uncovering significant risks: 98.4% of references do not follow the best practice of dependency pinning, and 86% of workflows do not limit token permissions.
- Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and a single developer maintains most.
source: HelpNetSecurity
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024