Automatic Security Assessment of GitHub Actions Workflows

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-08-07 DOI:10.1145/3560835.3564554

Giacomo Benedetti, Luca Verderame, A. Merlo

{"title":"Automatic Security Assessment of GitHub Actions Workflows","authors":"Giacomo Benedetti, Luca Verderame, A. Merlo","doi":"10.1145/3560835.3564554","DOIUrl":null,"url":null,"abstract":"The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub). We developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"64 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3560835.3564554","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub). We developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.

查看原文本刊更多论文

GitHub动作工作流的自动安全评估

对快速可靠的DevOps操作的需求推动了存储库平台的分发者实现工作流。工作流允许直接在托管软件的存储库上自动化代码管理操作。然而，这个特性也引入了直接影响存储库、存储库内容以及托管代码所涉及的所有软件供应链的安全问题。因此，利用易受攻击的工作流的攻击可以影响破坏性的大型软件生态系统。为了从经验上评估这个问题的重要性，在本文中，我们将重点放在事实上的主要发行商(即GitHub)上。我们为GitHub Actions工作流程开发了一种安全评估方法，该方法在软件供应链中被广泛采用。我们在一个工具(GHAST)中实现了该方法，并将其应用于50个开源项目。实验结果令人担忧，因为他们总共发现了24,905个安全问题(全部报告给相应的利益相关者)，从而表明问题是开放的，需要进一步的研究和调查。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

自引率

0.00%

发文量