There are now over 20,000 GitHub Actions in the marketplace for different use cases ranging from testing to publishing to security. Enterprises typically use hundreds of these third-party Actions in their GitHub organization and don’t have a way to measure the risk due to these Actions.
If your organization uses GitHub Actions and you are part of the Security Team or the DevOps Team, you may already have a process to review and approve the use of a third-party GitHub Action in your organization. You may be spending time and effort reviewing the code of third-party GitHub Actions and forking them in your GitHub organization and using the forked version. All this tedious work requires dedicated resources and has the potential to slow down developers who just want to use various GitHub Actions in their pipelines.
Enter StepSecurity: revolutionizing this process with the launch of GitHub Actions Advisor and StepSecurity Maintained Actions.
GitHub Actions Advisor
StepSecurity automatically calculates a security score for public GitHub Actions to help you decide if you should use that GitHub Action based on your risk appetite. The score is calculated based on these six attributes:
1. Maintained - Is the project actively maintained or has it been abandoned?
2. Vulnerabilities - Does the GitHub Action has unfixed vulnerabilities?
3. Popular - Is the GitHub Action popular and used by other projects?
4. Branch Protection - Does the GitHub Action’s project use Branch protection?
5. License - Does the GitHub Action's project declare a license?
6. Security Policy - Does the GitHub Action's project contain a security policy?
Let’s look at an example. This is the GitHub Actions Security Score for codecov/codecov-action. It has a high score of 9/10 since it is actively maintained, is popular, and does not have any known vulnerabilities.
Here is an example of an Action with a low score of 4/10. TimonVS/pr-labeler-action is not actively maintained (it was last updated over 2 years ago), it has known vulnerabilities, and does not have a security policy.
In addition to a score based on static analysis of the code and repository settings of GitHub Actions, we also provide networking behavior based on runtime analysis. This tells you what outbound calls a GitHub Action typically makes.
This data clarifies if an Action might be making outbound calls to suspicious destinations. This is a common risk where malicious or compromised Actions try to exfiltrate code or CI/CD credentials from the runners. Static analysis on its own cannot detect these attack patterns.
The networking behavior is calculated by StepSecurity Harden-Runner, which provides network and runtime security for GitHub-hosted and self-hosted runners. We collate these insights from the over 2,200 open-source projects that use Harden-Runner and, therefore, have runtime behavior insights for many third-party GitHub Actions. Harden-Runner insights from our enterprise customers for private repositories are not used for this analysis.
As an example, this is what the networking behavior for codecov/codecov-action looks like. Most of the calls are to the codecov.io hosts and one of them is to the Google Storage API to upload test results.
StepSecurity Maintained Actions
When you look at the score of the Actions your organization uses, you may realize that lot of them have a low score, and many of them may have been abandoned. In such scenarios, to reduce risk, you may be forking and maintaining third-party Actions yourself. This impacts developer productivity since developers must wait for the review and forking of an Action. It is also time-consuming because Security or DevOps teams now need to maintain these Actions for perpetuity.
To solve these challenges, StepSecurity is excited to announce StepSecurity Maintained Actions. These are open-source Actions that StepSecurity maintains. We do manual and automated reviews of the code before forking and merging updates from the upstream repository. We also apply security best practices to improve the security score of these StepSecurity Maintained Actions.
StepSecurity Maintained Actions is available as part of our Team and Enterprise plans. It drastically reduces risk and tedious manual work for our customers while increasing developer velocity, as developers can now use third-party Actions that might not have been approved for use earlier.
Here is an example of a StepSecurity Maintained Action and how it compares with the original Action in terms of the security score.
Our webinar on "Managing Risks of Third-Party GitHub Actions in Your CI/CD" talked about how you can securely use third-party Actions in your workflows. Watch the full webinar recording here:
StepSecurity GitHub App
If you are using the StepSecurity GitHub Actions Security Platform, you can view the scores of all the Actions being used across your organization by clicking on the Actions menu.
You can also view all the available StepSecurity Maintained Actions using the menu option.
There are now over 20,000 GitHub Actions in the marketplace for different use cases ranging from testing to publishing to security. Enterprises typically use hundreds of these third-party Actions in their GitHub organization and don’t have a way to measure the risk due to these Actions.
If your organization uses GitHub Actions and you are part of the Security Team or the DevOps Team, you may already have a process to review and approve the use of a third-party GitHub Action in your organization. You may be spending time and effort reviewing the code of third-party GitHub Actions and forking them in your GitHub organization and using the forked version. All this tedious work requires dedicated resources and has the potential to slow down developers who just want to use various GitHub Actions in their pipelines.
Enter StepSecurity: revolutionizing this process with the launch of GitHub Actions Advisor and StepSecurity Maintained Actions.
GitHub Actions Advisor
StepSecurity automatically calculates a security score for public GitHub Actions to help you decide if you should use that GitHub Action based on your risk appetite. The score is calculated based on these six attributes:
1. Maintained - Is the project actively maintained or has it been abandoned?
2. Vulnerabilities - Does the GitHub Action has unfixed vulnerabilities?
3. Popular - Is the GitHub Action popular and used by other projects?
4. Branch Protection - Does the GitHub Action’s project use Branch protection?
5. License - Does the GitHub Action's project declare a license?
6. Security Policy - Does the GitHub Action's project contain a security policy?
Let’s look at an example. This is the GitHub Actions Security Score for codecov/codecov-action. It has a high score of 9/10 since it is actively maintained, is popular, and does not have any known vulnerabilities.
Here is an example of an Action with a low score of 4/10. TimonVS/pr-labeler-action is not actively maintained (it was last updated over 2 years ago), it has known vulnerabilities, and does not have a security policy.
In addition to a score based on static analysis of the code and repository settings of GitHub Actions, we also provide networking behavior based on runtime analysis. This tells you what outbound calls a GitHub Action typically makes.
This data clarifies if an Action might be making outbound calls to suspicious destinations. This is a common risk where malicious or compromised Actions try to exfiltrate code or CI/CD credentials from the runners. Static analysis on its own cannot detect these attack patterns.
The networking behavior is calculated by StepSecurity Harden-Runner, which provides network and runtime security for GitHub-hosted and self-hosted runners. We collate these insights from the over 2,200 open-source projects that use Harden-Runner and, therefore, have runtime behavior insights for many third-party GitHub Actions. Harden-Runner insights from our enterprise customers for private repositories are not used for this analysis.
As an example, this is what the networking behavior for codecov/codecov-action looks like. Most of the calls are to the codecov.io hosts and one of them is to the Google Storage API to upload test results.
StepSecurity Maintained Actions
When you look at the score of the Actions your organization uses, you may realize that lot of them have a low score, and many of them may have been abandoned. In such scenarios, to reduce risk, you may be forking and maintaining third-party Actions yourself. This impacts developer productivity since developers must wait for the review and forking of an Action. It is also time-consuming because Security or DevOps teams now need to maintain these Actions for perpetuity.
To solve these challenges, StepSecurity is excited to announce StepSecurity Maintained Actions. These are open-source Actions that StepSecurity maintains. We do manual and automated reviews of the code before forking and merging updates from the upstream repository. We also apply security best practices to improve the security score of these StepSecurity Maintained Actions.
StepSecurity Maintained Actions is available as part of our Team and Enterprise plans. It drastically reduces risk and tedious manual work for our customers while increasing developer velocity, as developers can now use third-party Actions that might not have been approved for use earlier.
Here is an example of a StepSecurity Maintained Action and how it compares with the original Action in terms of the security score.
Our webinar on "Managing Risks of Third-Party GitHub Actions in Your CI/CD" talked about how you can securely use third-party Actions in your workflows. Watch the full webinar recording here:
StepSecurity GitHub App
If you are using the StepSecurity GitHub Actions Security Platform, you can view the scores of all the Actions being used across your organization by clicking on the Actions menu.
You can also view all the available StepSecurity Maintained Actions using the menu option.