Introduction
The rapid growth of reusable open-source GitHub Actions—now numbering over 20,000—has revolutionized how enterprises build their CI/CD pipelines. Developers can assemble these third-party Actions with appropriate parameters to create powerful workflows quickly. However, this abundance also introduces significant supply chain risks. How can organizations leverage the benefits of third-party GitHub Actions while maintaining robust security standards?
What Are Third-Party GitHub Actions?
Third-party GitHub Actions are reusable components developed and shared by the GitHub community—including Fortune 500 companies like Google and Amazon, as well as individual hobby developers. By referencing these open-source repositories, any GitHub Actions CI/CD workflow can use these Actions, streamlining development processes.
Key Risks with Third-Party GitHub Actions
While the convenience of third-party Actions is undeniable, their use introduces several significant risks:
- Introduction of Vulnerabilities: Unvetted Actions may contain vulnerabilities that can be exploited.
- Compromise of Admin Credentials: Actions often have access to sensitive credentials, posing a risk if the Action is malicious or compromised.
- Production of Tampered Software Builds: Malicious Actions can alter build processes, leading to the deployment of compromised software.
For instance, imagine an organization unknowingly incorporates a Action maintained by a hobby developer who is later compromised by a threat actor and introduces a backdoor in the Action. This will lead to a breach of sensitive enterprise data/secrets. If this Action is used in a software build CI/CD pipeline and this software gets shipped to their customers, this can result in the compromise of all of their customers as well.
The Dilemma for Security and DevOps Teams
Many core and popular open-source Actions come from individual developers who may lack the resources to maintain them securely. Security and DevOps teams face a tough choice:
- Allow Risky Third-Party Actions: Accept the security risks associated with these Actions to maintain developer productivity.
- Deny Risky Third-Party Actions: Hamper developer productivity and velocity by restricting the use of these Actions.
Choosing the first option may expose the organization to vulnerabilities and potential breaches. The second option could slow development cycles, making staying competitive in a fast-paced market harder. Neither choice is ideal.
Solution: Implementing an Internal GitHub Actions Marketplace
Enterprises can resolve this dilemma by creating and maintaining an Internal GitHub Actions Marketplace. This marketplace provides a curated directory of vetted Actions that developers can use in their CI/CD pipelines, ensuring security without sacrificing productivity.
How Does the Internal Actions Marketplace Work?
- Vetting and Approval: Security and DevOps teams review and approve Actions before they are added to the marketplace.
- Types of Actions Included:
- Third-Party Actions from Reputable Vendors: Actions from organizations like GitHub, Amazon, and approved security vendors.
- Third-Party Actions Meeting Security Requirements: Actions that pass rigorous security assessments.
- First-Party Actions: Internal Actions developed by the enterprise, including forked versions of external Actions for better supply chain control.
- Controlled Access: Developers can only use Actions from the Internal Marketplace in their GitHub Action workflows, ensuring that all components meet the organization's security standards.
By implementing this marketplace, enterprises can:
- Maintain Security: Only vetted and approved Actions are used, reducing the risk of vulnerabilities.
- Enhance Productivity: Developers have access to a wide range of Actions without security concerns.
- Control the Supply Chain: The organization maintains oversight of all Actions in use.
Challenges with Building a Custom Internal Actions Marketplace
While the concept is sound, building and maintaining such a marketplace presents challenges:
- Maintenance of Forked Third-Party Actions: Forked Actions can quickly fall behind the upstream repository, accumulating security issues if not diligently maintained.
- Security Review of Third-Party Actions: Conducting objective and consistent security assessments can be difficult, leading to inconsistent approval decisions.
- Risk Visibility into First-Party Actions: Traditional application security tools offer limited insights into the risks posed by Actions.
StepSecurity's Internal GitHub Actions Marketplace Solution
StepSecurity offers a comprehensive GitHub Actions security platform tailored to address these challenges. Our Internal GitHub Actions Marketplace is a SaaS solution that requires minimal operational overhead from enterprises.
Key Features of StepSecurity's Internal GitHub Actions Marketplace
Actions Inventory
You can discover all third-party and first-party Actions in use across your GitHub organization.
You can also find all GitHub Actions workflows that use a particular Action in your organization.
If an enterprise has an internal GitHub Actions marketplace, Actions Inventory makes it easy for enterprises to discover all outside Actions in use and replace them with a Marketplace Action.
Actions Advisor
Actions Advisor performs objective risk assessments on Actions using several criteria, such as vulnerable dependencies, whether the action is being maintained, how popular it is, etc.
In addition, the advisor also provides visibility into outbound network connections from these Actions.
Actions Advisor provides insights into Actions' risk posture so enterprises can decide whether to add a new third-party Action to their internal GitHub Actions Marketplace. We are extending the feature to scan private first-party Actions as well. This new feature would help enterprises keep their first-party Actions in the marketplace secure and up to date.
Maintained Action
If an enterprise finds an action to be risky, it can request StepSecurity to create a clone, apply security best practices, and maintain it so that the developers can use a secure alternative instead. This solves the dilemma for security and DevOps teams that we have described above. Security and DevOps teams can be assured that all the Actions in use in the enterprise environment are safe without impacting developer productivity. Furthermore, it eliminates the need for enterprises to fork, clone, and maintain third-party Actions in their own environment.
By leveraging StepSecurity's solution, enterprises can overcome the challenges of building a custom internal Actions marketplace. Our platform automates maintenance, provides consistent security assessments, and offers unparalleled visibility into Action risks.
Why Choose StepSecurity?
Unlike traditional security tools that offer limited visibility into GitHub Actions, StepSecurity provides a comprehensive platform designed specifically for the unique needs of CI/CD workflows. We help organizations secure their pipelines without compromising on speed or innovation.
If you would like to create an Internal Actions Marketplace for your organization, please get in touch with using the Contact us page.