A curated list of awesome things related to securing your GitHub Actions workflows.
GitHub Actions workflow files are extremely powerful and operate in a highly privileged software supply chain environment by default. Don't let their ease of implementation give you a false sense of security. It's easy to introduce supply chain vulnerabilities if you don't fully understand how workflow files are parsed and used by GitHub Actions.
This is a list of awesome resources for hardening your workflows in order to keep your CI/CD pipelines secure.
- GitHub Docs: Security hardening for GitHub Actions
- GitHub Blog: Tips to keep your GitHub Actions workflows secure
- GitHub Blog: Security best practices for authors of GitHub Actions
- GitHub Blog: How to secure your GitHub Actions workflows with CodeQL
- GitHub Blog: Reach SLSA Level 3 with GitHub Artifact Attestations
- John Blackbourn: List of starred repos relating to GitHub Actions security
This is the non-curated source of many of the tools in this list. - OpenSSF: Mitigating Attack Vectors in GitHub Workflows
An overview of the most common attack vectors on GitHub workflows and recommendations on how to secure them.
All of these scanners use static analysis to detect misconfiguration and vulnerabilities in your workflow files. They can be installed and run locally or run as part of your CI workflow on GitHub Actions. They are all capable of integrating with GitHub Code Scanning, so you'll need to set up code scanning merge protection in order for them to be effective.
- Actionlint (List of rules here)
- Octoscan (List of rules here)
- Poutine (List of rules here)
- Zizmor (List of rules here)
I'm currently using all four of these scanners on several of my repos. The scanners are complementary, they are all actively maintained, and together they provide good coverage of many aspects of workflow file security best practices as well as detecting misconfiguration and vulnerabilities.
- GitHub Action for OpenSSF Scorecard
Monitors and tracks the security metrics of your GitHub project, including best practices for GitHub Actions workflow files as well as many other checks. Several of the checks are opinionated which can be off-putting, but overall a valuable enough tool to recommend.
- Harden-Runner
Provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. - Secure-Repo
Automatically applies security best practices in your GitHub repository. Covers GitHub Actions workflows plus a few other security related configurations.
- Shellcheck is the defacto solution for statically scanning and analysing shell scripts for correctness and security. It's included in various other tools such as Actionlint and Octoscan.
- grype
A vulnerability scanner for container images and filesystems. - Docker Scout and Docker Scout GitHub Action
Identifies security issues, outdated packages, and potential compliance problems within container images. The GitHub Action runs Docker Scout as part of your workflows.
Self-hosted Actions runners pose a higher security risk than the runners provided by GitHub. The main considerations are:
- Self-hosted runners are usually not ephemeral and therefore the risk of poisoning or interference between runs is higher.
- Self-hosted runners potentially allow access to a private network.
Resources:
- GitHub Docs: About self-hosted runners
Official docs about self-hosted runners. - Deniz Onur Duzgun: Github Self-Hosted Runners Configuration
Best practices to follow to configure GitHub Enterprise Cloud self-hosted runners in a secure way.
- pwnhub
Writings, scripts, and other results of GitHub Actions workflows vulnerabilities research. - Github Attack TOolkit
A fast scanning and attack tool for GitHub Actions pipelines. - GitHub Actions Cache Blasting
Proof-of-concept code for research into GitHub Actions Cache poisoning.
The time that I spend maintaining this project and others is in part sponsored by:
Plus all my kind sponsors on GitHub:
CC0