Hassan Onsori Delicheh, Tom Mens. University of Mons, Belgium

Abstract:

Collaborative practices have revolutionised the software development process, enabling distributed teams to seamlessly work together. Social coding platforms have integrated CI/CD automation workflows, with GitHub Actions emerging as a prominent automation ecosystem for GitHub repositories. While automation brings efficiency, it also introduces security challenges, often related to software supply chain attacks and workflow misconfigurations. We outline the security issues associated with the software supply chain of GitHub Actions workflows, most notably their reusable Actions and their dependencies. We also explore the security risks associated with misconfigurations of repositories and workflows, such as poor permission management, command injection, and credential exposure. To mitigate these risks we suggest practical remediations, including dependency and security monitoring, pinning Actions, strict access control, verified creator practices, secret scanning tools, raising awareness, and training. In doing so, we provide valuable insights on the need to integrate security seamlessly into the automated collaborative software development processes. To enhance the security of workflow automation within GitHub repositories we encourage a proactive approach and advocate for the adoption of best practices.