Back to Blog
Resources

Implementing an Internal GitHub Actions Marketplace with StepSecurity

Third-party GitHub Actions accelerate CI/CD pipeline development but pose significant supply chain risks for enterprises. Implementing an internal GitHub Actions marketplace with StepSecurity allows organizations to securely vet, approve, and maintain these Actions, balancing developer productivity with robust security standards.
Ashish Kurmi

October 30, 2024

Table of Contents

Introduction

The rapid growth of reusable open-source GitHub Actions—now numbering over 20,000—has revolutionized how enterprises build their CI/CD pipelines. Developers can assemble these third-party Actions with appropriate parameters to create powerful workflows quickly. However, this abundance also introduces significant supply chain risks. How can organizations leverage the benefits of third-party GitHub Actions while maintaining robust security standards?

What Are Third-Party GitHub Actions?

Third-party GitHub Actions are reusable components developed and shared by the GitHub community—including Fortune 500 companies like Google and Amazon, as well as individual hobby developers. By referencing these open-source repositories, any GitHub Actions CI/CD workflow can use these Actions, streamlining development processes.

Key Risks with Third-Party GitHub Actions

While the convenience of third-party Actions is undeniable, their use introduces several significant risks:

  • Introduction of Vulnerabilities: Unvetted Actions may contain vulnerabilities that can be exploited.
  • Compromise of Admin Credentials: Actions often have access to sensitive credentials, posing a risk if the Action is malicious or compromised.
  • Production of Tampered Software Builds: Malicious Actions can alter build processes, leading to the deployment of compromised software.

For instance, imagine an organization unknowingly incorporates a Action maintained by a hobby developer who is later compromised by a threat actor and introduces a backdoor in the Action. This will lead to a breach of sensitive enterprise data/secrets. If this Action is used in a software build CI/CD pipeline and this software gets shipped to their customers, this can result in the compromise of all of their customers as well.

The Dilemma for Security and DevOps Teams

Many core and popular open-source Actions come from individual developers who may lack the resources to maintain them securely. Security and DevOps teams face a tough choice:

  1. Allow Risky Third-Party Actions: Accept the security risks associated with these Actions to maintain developer productivity.
  1. Deny Risky Third-Party Actions: Hamper developer productivity and velocity by restricting the use of these Actions.

Choosing the first option may expose the organization to vulnerabilities and potential breaches. The second option could slow development cycles, making staying competitive in a fast-paced market harder. Neither choice is ideal.

Solution: Implementing an Internal GitHub Actions Marketplace

Enterprises can resolve this dilemma by creating and maintaining an Internal GitHub Actions Marketplace. This marketplace provides a curated directory of vetted Actions that developers can use in their CI/CD pipelines, ensuring security without sacrificing productivity.

Graph depicting the relation between Developer team productivity and Internal Marketplace
Graph depicting the relation between Developer team productivity and Internal Marketplace

How Does the Internal Actions Marketplace Work?

  1. Vetting and Approval: Security and DevOps teams review and approve Actions before they are added to the marketplace.
  1. Types of Actions Included:
  • Third-Party Actions from Reputable Vendors: Actions from organizations like GitHub, Amazon, and approved security vendors.
  • Third-Party Actions Meeting Security Requirements: Actions that pass rigorous security assessments.
  • First-Party Actions: Internal Actions developed by the enterprise, including forked versions of external Actions for better supply chain control.
  1. Controlled Access: Developers can only use Actions from the Internal Marketplace in their GitHub Action workflows, ensuring that all components meet the organization's security standards.

By implementing this marketplace, enterprises can:

  • Maintain Security: Only vetted and approved Actions are used, reducing the risk of vulnerabilities.
  • Enhance Productivity: Developers have access to a wide range of Actions without security concerns.
  • Control the Supply Chain: The organization maintains oversight of all Actions in use.

Traditional Approach Internal Actions Marketplace
Security Risk High Low
Developer Productivity High
High
Maintenance Effort Low High
Supply Chain Control Low High
Workflow Standardization Low High

Challenges with Building a Custom Internal Actions Marketplace

While the concept is sound, building and maintaining such a marketplace presents challenges:

  1. Maintenance of Forked Third-Party Actions: Forked Actions can quickly fall behind the upstream repository, accumulating security issues if not diligently maintained.
  1. Security Review of Third-Party Actions: Conducting objective and consistent security assessments can be difficult, leading to inconsistent approval decisions.
  1. Risk Visibility into First-Party Actions: Traditional application security tools offer limited insights into the risks posed by Actions.

StepSecurity's Internal GitHub Actions Marketplace Solution

StepSecurity offers a comprehensive GitHub Actions security platform tailored to address these challenges. Our Internal GitHub Actions Marketplace is a SaaS solution that requires minimal operational overhead from enterprises.

Security and DevOps teams' Challenges resolved by the StepSecurity Internal GitHub Actions Marketplace
Security and DevOps teams' Challenges resolved by the StepSecurity Internal GitHub Actions Marketplace

Key Features of StepSecurity's Internal GitHub Actions Marketplace

Actions Inventory

You can discover all third-party and first-party Actions in use across your GitHub organization.  

Internal GitHub Actions Marketplace dashboard showing a list of all actions in use
Internal GitHub Actions Marketplace dashboard showing a list of all actions in use

You can also find all GitHub Actions workflows that use a particular Action in your organization.

Internal GitHub Actions Marketplace dashboard showing a list of all workflows using a particular Action
Internal GitHub Actions Marketplace dashboard showing a list of all workflows using a particular Action

If an enterprise has an internal GitHub Actions marketplace, Actions Inventory makes it easy for enterprises to discover all outside Actions in use and replace them with a Marketplace Action.

Actions Advisor

Actions Advisor performs objective risk assessments on Actions using several criteria, such as vulnerable dependencies, whether the action is being maintained, how popular it is, etc.  

Actions advisor score displayed on the dashboard
Actions advisor score displayed on the dashboard

In addition, the advisor also provides visibility into outbound network connections from these Actions.  

Outbound network connections displayed on the dashboard
Outbound network connections displayed on the dashboard

Actions Advisor provides insights into Actions' risk posture so enterprises can decide whether to add a new third-party Action to their internal GitHub Actions Marketplace. We are extending the feature to scan private first-party Actions as well. This new feature would help enterprises keep their first-party Actions in the marketplace secure and up to date.

Maintained Action

If an enterprise finds an action to be risky, it can request StepSecurity to create a clone, apply security best practices, and maintain it so that the developers can use a secure alternative instead. This solves the dilemma for security and DevOps teams that we have described above. Security and DevOps teams can be assured that all the Actions in use in the enterprise environment are safe without impacting developer productivity. Furthermore, it eliminates the need for enterprises to fork, clone, and maintain third-party Actions in their own environment.

List of maintained Actions on GitHub Actions Marketplace
List of maintained Actions on GitHub Actions Marketplace
Comparing StepSecurity Maintained Actions with other Actions
Comparing StepSecurity Maintained Actions with other Actions

By leveraging StepSecurity's solution, enterprises can overcome the challenges of building a custom internal Actions marketplace. Our platform automates maintenance, provides consistent security assessments, and offers unparalleled visibility into Action risks.

Try StepSecurity for Free

Why Choose StepSecurity?

Unlike traditional security tools that offer limited visibility into GitHub Actions, StepSecurity provides a comprehensive platform designed specifically for the unique needs of CI/CD workflows. We help organizations secure their pipelines without compromising on speed or innovation.

If you would like to create an Internal Actions Marketplace for your organization, please get in touch with using the Contact us page.

Blog

Explore Related Posts