Automatic Security Assessment of GitHub Actions Workflows

The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect th...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	arXiv.org 2022-11
Hauptverfasser:	Benedetti, Giacomo, Verderame, Luca, Merlo, Alessio
Format:	Artikel
Sprache:	eng
Schlagworte:	Computer Science - Cryptography and Security Distributors Repositories Security Software Supply chains
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page
container_issue
container_start_page
container_title	arXiv.org
container_volume
creator	Benedetti, Giacomo Verderame, Luca Merlo, Alessio
description	The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.
doi_str_mv	10.48550/arxiv.2208.03837
format	Article
fullrecord	<record><control><sourceid>proquest_arxiv</sourceid><recordid>TN_cdi_arxiv_primary_2208_03837</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2700156086</sourcerecordid><originalsourceid>FETCH-LOGICAL-a957-d50d8e2f5931448e45033452cdfe4643373f31aac2fa1477ebe0e7508f9aa6303</originalsourceid><addsrcrecordid>eNotj0FLwzAYhoMgOOZ-gCcDnlu_5Eua9FiGbsLAgwOPJWsTyFyXmaTq_r1z8_ReHl6eh5A7BqXQUsKjiT_-q-QcdAmoUV2RCUdkhRac35BZSlsA4JXiUuKE1M2Yw2Cy7-ib7cbo85E2KdmUBrvPNDi68Hk5bmjTZR_2ib6H-OF24TvdkmtndsnO_ndK1s9P6_myWL0uXubNqjC1VEUvodeWO1kjE0JbIQFRSN71zopKICp0yIzpuDNMKGU3FqySoF1tTIWAU3J_uT13tYfoBxOP7V9fe-47EQ8X4hDD52hTbrdhjPuTU8sVAJMV6Ap_ASjMUds</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2700156086</pqid></control><display><type>article</type><title>Automatic Security Assessment of GitHub Actions Workflows</title><source>arXiv.org</source><source>Free E- Journals</source><creator>Benedetti, Giacomo ; Verderame, Luca ; Merlo, Alessio</creator><creatorcontrib>Benedetti, Giacomo ; Verderame, Luca ; Merlo, Alessio</creatorcontrib><description>The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.</description><identifier>EISSN: 2331-8422</identifier><identifier>DOI: 10.48550/arxiv.2208.03837</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Computer Science - Cryptography and Security ; Distributors ; Repositories ; Security ; Software ; Supply chains</subject><ispartof>arXiv.org, 2022-11</ispartof><rights>2022. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,784,885,27924</link.rule.ids><backlink>$$Uhttps://doi.org/10.48550/arXiv.2208.03837$$DView paper in arXiv$$Hfree_for_read</backlink><backlink>$$Uhttps://doi.org/10.1145/3560835.3564554$$DView published paper (Access to full text may be restricted)$$Hfree_for_read</backlink></links><search><creatorcontrib>Benedetti, Giacomo</creatorcontrib><creatorcontrib>Verderame, Luca</creatorcontrib><creatorcontrib>Merlo, Alessio</creatorcontrib><title>Automatic Security Assessment of GitHub Actions Workflows</title><title>arXiv.org</title><description>The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.</description><subject>Computer Science - Cryptography and Security</subject><subject>Distributors</subject><subject>Repositories</subject><subject>Security</subject><subject>Software</subject><subject>Supply chains</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GOX</sourceid><recordid>eNotj0FLwzAYhoMgOOZ-gCcDnlu_5Eua9FiGbsLAgwOPJWsTyFyXmaTq_r1z8_ReHl6eh5A7BqXQUsKjiT_-q-QcdAmoUV2RCUdkhRac35BZSlsA4JXiUuKE1M2Yw2Cy7-ib7cbo85E2KdmUBrvPNDi68Hk5bmjTZR_2ib6H-OF24TvdkmtndsnO_ndK1s9P6_myWL0uXubNqjC1VEUvodeWO1kjE0JbIQFRSN71zopKICp0yIzpuDNMKGU3FqySoF1tTIWAU3J_uT13tYfoBxOP7V9fe-47EQ8X4hDD52hTbrdhjPuTU8sVAJMV6Ap_ASjMUds</recordid><startdate>20221110</startdate><enddate>20221110</enddate><creator>Benedetti, Giacomo</creator><creator>Verderame, Luca</creator><creator>Merlo, Alessio</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20221110</creationdate><title>Automatic Security Assessment of GitHub Actions Workflows</title><author>Benedetti, Giacomo ; Verderame, Luca ; Merlo, Alessio</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a957-d50d8e2f5931448e45033452cdfe4643373f31aac2fa1477ebe0e7508f9aa6303</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Distributors</topic><topic>Repositories</topic><topic>Security</topic><topic>Software</topic><topic>Supply chains</topic><toplevel>online_resources</toplevel><creatorcontrib>Benedetti, Giacomo</creatorcontrib><creatorcontrib>Verderame, Luca</creatorcontrib><creatorcontrib>Merlo, Alessio</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>arXiv Computer Science</collection><collection>arXiv.org</collection><jtitle>arXiv.org</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Benedetti, Giacomo</au><au>Verderame, Luca</au><au>Merlo, Alessio</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Automatic Security Assessment of GitHub Actions Workflows</atitle><jtitle>arXiv.org</jtitle><date>2022-11-10</date><risdate>2022</risdate><eissn>2331-8422</eissn><abstract>The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><doi>10.48550/arxiv.2208.03837</doi><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	EISSN: 2331-8422
ispartof	arXiv.org, 2022-11
issn	2331-8422
language	eng
recordid	cdi_arxiv_primary_2208_03837
source	arXiv.org; Free E- Journals
subjects	Computer Science - Cryptography and Security Distributors Repositories Security Software Supply chains
title	Automatic Security Assessment of GitHub Actions Workflows
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-11T15%3A45%3A20IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_arxiv&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Automatic%20Security%20Assessment%20of%20GitHub%20Actions%20Workflows&rft.jtitle=arXiv.org&rft.au=Benedetti,%20Giacomo&rft.date=2022-11-10&rft.eissn=2331-8422&rft_id=info:doi/10.48550/arxiv.2208.03837&rft_dat=%3Cproquest_arxiv%3E2700156086%3C/proquest_arxiv%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2700156086&rft_id=info:pmid/&rfr_iscdi=true