Read Article
2024 (UPDATE 01/23/25), Blog Post By Adnan Khan.
This blog post by Adnan Khan explores a critical security issue in GitHub Actions caching and how attackers can manipulate it to gain unauthorized access to CI/CD workflows. The core issue is cache poisoning, allowing malicious actors to replace legitimate cache entries, leading to privilege escalation and exposure of sensitive data.
- Detailed analysis of GitHub Actions caching mechanisms and potential attack vectors.
- Step-by-step execution of cache poisoning attacks.
- Highlights the real-world impact on projects like Angular, Mozilla MDN, and Hyperledger Besu.
- Introduces the Actions Cache Blasting attack technique.
The article thoroughly explains the attack but lacks detailed discussion on mitigation strategies. It could be improved by suggesting stricter cache validation, exploring ways GitHub could enhance security, and providing tools for maintainers to detect cache poisoning risks.
- Cacheract (GitHub Repo)
Read Article
Jan 9, 2025, GitHub Security Blog By Alvaro Munoz.
This article from GitHub's security blog discusses how CodeQL, GitHub’s static analysis tool, has been enhanced to detect vulnerabilities in GitHub Actions workflows. It addresses workflow misconfigurations and untrusted data flow risks through taint tracking analysis.
- Taint tracking for untrusted data sources, improving security scans.
- Introduces GitHub Actions as a structured language in CodeQL.
- Supports Bash script analysis, allowing security checks within shell commands.
- Detects cache poisoning vulnerabilities, mitigating supply chain attacks.
- Already in use to secure 75+ major open-source projects and detect 90+ vulnerabilities.
While CodeQL’s security enhancements are valuable, improvements could include expanding taint tracking for complex workflows involving multiple repositories, providing automated remediation suggestions, and improving detection of logic-based attacks such as TOCTOU vulnerabilities.
- CodeQL (GitHub Repo)
Read Article
2025 (Update 30.01.2025), Blog Post By Nemanja Ninković.
This blog post critiques GitHub Actions' usability and scalability issues, especially for monorepos and complex CI/CD pipelines. The author argues that GitHub Actions suffers from inefficiencies, lack of local testing, and YAML complexity, making alternative CI/CD solutions more attractive.
- Inefficient monorepo support, causing merge conflicts.
- YAML complexity leads to bloated workflows with excessive logic.
- No local testing support, forcing developers to push untested changes.
- GitHub is slow to address usability concerns, frustrating users.
- Alternative CI/CD solutions like GitLab CI/CD, Jenkins, TeamCity, and Dagger provide better scalability.
GitHub Actions should allow required checks to dynamically adjust based on executed jobs, improve YAML syntax to reduce redundant logic, enable local workflow execution for easier debugging, and improve communication regarding its roadmap and feature development.
Read Article
Jun 2024, BSc Thesis - University of Gothenburg By Saif Sayed and Kardo Marof.
This research explores the challenges within the GitHub Actions ecosystem, analyzing 997 discussion threads and 4.1K repositories to identify common issues like security vulnerabilities, dependency problems, and workflow obsolescence.
- Security vulnerabilities are the most prevalent issue in GitHub Actions workflows.
- Dependency issues and breaking changes create reliability concerns.
- Marketplace actions are widely used, but locally maintained actions are preferred in high-complexity repositories.
- Developers struggle with obsolescence, as outdated actions impact build stability.
The study suggests further research into improving security mechanisms for Marketplace Actions, better dependency management practices, and automated solutions for detecting and mitigating breaking changes. It also recommends a deeper qualitative analysis of developer preferences regarding Local vs. Marketplace Actions and a comparison with other CI/CD systems like GitLab CI/CD and Travis CI.
Read Article
Oct 2022, IEEE International Conference on Software Maintenance and Evolution - University of Mons By Alexandre Decan, Tom Mens, Pooya Rostami Mazrae and Mehdi Golzadeh.
This empirical study analyzes 68K GitHub repositories, showing how GitHub Actions is adopted, which workflows are automated, and the security risks involved.
- 43.9% of repositories use GitHub Actions, making it the dominant CI/CD tool.
- Reusable actions are heavily used, but security concerns exist.
- Most workflows focus on CI/CD tasks, with continuous integration and testing being top priorities.
- Security issues arise from unverified third-party actions, exposing projects to potential threats.
The research suggests improving dependency versioning best practices to mitigate security risks, enhancing tooling for workflow management to reduce maintenance overhead, and conducting further research on the long-term evolution of the GitHub Actions ecosystem to address emerging challenges. It also calls for better security practices in reusable actions to minimize the risk of supply chain attacks.
Read Article
2023, ACM Transactions on Software Engineering and Methodology (TOSEM) By Williams et al.
This research provides a broad overview of software supply chain security risks, categorizing three major attack vectors: dependencies, build infrastructure, and human factors.
- 96% of software contains open-source dependencies, making them a prime attack target.
- Build infrastructure is a major attack vector, as seen in the SolarWinds and Log4j incidents.
- Social engineering targets developers, leading to compromised credentials and injected backdoors.
- Tools like SCA scanners, SBOMs, and in-toto are essential for mitigating risks.
The paper suggests enhancing automated vulnerability detection to improve how dependencies are monitored and updated, developing better tools to analyze and secure build environments, and focusing on the human factor by strengthening identity verification and training against social engineering attacks. It also emphasizes the need for future research into securing AI-generated code and LLM-based development workflows, as these introduce new and largely unexplored risks.
- SCA tools, SBOMs, OpenSSF Scorecard, SLSA, in-toto, TUF
Read Article
2024 (UPDATE frequently), GitHub Documentation By INRIA.
Ensuring that software artifacts in GitHub Actions are verifiable and haven’t been tampered with.
GitHub provides a web UI ("Attestations" tab) and CLI command (gh attestation verify) for verifying artifact provenance. This helps prevent supply chain attacks.
It is unclear how many repositories use attestations and whether GitHub provides a public transparency log for attestations.
Read Article
Nov 2022, GitHub API Documentation
Enables developers to programmatically retrieve and verify artifact attestations.
The API allows for automated verification of software artifacts, ensuring that only trusted artifacts are used in production.
Fine-grained adoption statistics would help measure the real-world impact of this security feature.