Confidently Manage Risks of Third-Party GitHub Actions in Your CI/CD: Insights from StepSecurity Webinar

Introduction

Thanks to our actively engaged attendees, we enjoyed hosting our webinar on “Confidently Manage Risks of Third-Party GitHub Actions in Your CI/CD” on January 30^th, 2024. The webinar was a combination of expert tips, insights, and practical knowledge. It covered a crucial topic for GitHub Actions security – Governance of third-party GitHub Actions in enterprise environments.

If you missed the webinar, checkout the full webinar recording below:

https://www.youtube.com/watch?v=42pwHF_NPyI

‍

For a summary of the webinar, continue reading this blog post.  

Understanding the GitHub Actions Ecosystem & Its Challenges

Our webinar dove into the inherent security risks posed by GitHub Actions. While powerful for building CI/CD pipelines with ease, GitHub Actions presents significant security challenges. GitHub Action operates in a high-privileged environment, making it attractive to the bad actors seeking to compromise enterprise environments. The proof of this lies in past CI/CD security breaches like the Codecov breach which impacted thousands of enterprises. Some of the significant risks when using third-party GitHub Actions are abandonware risks, reliability concerns, mutable tags, supply chain attacks, and single developer maintenance of third-party Actions.  

GitHub Actions Security Best Practices

Here are a few security best practices to mitigate common GitHub Action risks:

• Enabling organization-level allowed-list to control third-party action in use
• Conducting regular source code audits
• Forking risky Actions to improve security control and control change management
• Pinning action versions to a specific commit SHA
• Utilizing least privileged tokens for GitHub Actions workflows
• Leveraging automated tools like Dependabot or Renovate bot for automated action version upgrades

Typical Enterprise Actions Governance Process and Its Challenges

When a new Action is to be used, enterprises typically follow a review and approval process. Here’s a flow chart of what it usually looks like:

This current process has a lot of challenges associated with it, as observed by the StepSecurity team through several conversations with customers:

• The process is time consuming for the security teams
• There is no standardization in the process, security engineers use subjective risk assessment
• For organizations that don’t fork risky Actions, the decision to use risky third-party Actions either leads to accepting the risk or rejecting them, causing developer friction
• For organizations that do fork risky Actions, forked Actions are hard to maintain as it requires significant time and resource investments.

The Step Security Solution

Step Security offers an end-to-end GitHub Action security platform addressing vulnerabilities across three key layers:

• CI/CD infrastructure security: Ensuring the security of build servers for both, GitHub hosted and self-hosted runners. StepSecurity has built a purpose agent that runs on the runners. For Kubernetes-based Actions Runner Controller (ARC) environments, a Kubernetes DaemonSet is used. This platform hardens the runner environment by implementing network egress filtering and runtime security controls. It gives organizations visibility into outbound network traffic and blocks/flags suspicious activities.  
• Pipeline-as-code analysis: Analyzing GitHub Actions workflow YAML files to identify security misconfigurations and automating fixes for these issues. In addition, the platform helps standardize CI/CD pipelines.  
• Third-party Action Security: providing objective risk assessment for third-party GitHub Actions and StepSecurity maintained secure alternatives for risky GitHub Actions.

Hands-On Lab

The hands-on lab session in the webinar provided participants with a practical demonstration of securing GitHub Actions workflows. The lab began by forking StepSecurity’s open-source educational project for GitHub Actions security- GitHub Actions Goat. This project contains flawed GitHub Actions workflows for learning purposes. The lab showcased how CI/CD security weaknesses, such as unmonitored network traffic can be mitigated using Harden-Runner.

Through step-by-step instructions and demonstrations, participants learned to enhance security by enabling network monitoring, setting up security policies, and analyzing the security scores of third-party actions.

Additionally, the lab gave insights into maintaining and securing Actions, including utilizing maintained Actions to mitigate risks associated with abandoned or insecure third-party Actions. Finally, the lab highlighted practical tips for evaluating and improving overall pipeline security, such as fixing pipeline-as-code issues through automated pull requests.

GitHub Actions Advisor and StepSecurity Maintained Actions

The webinar covered GitHub Actions Advisor, an objective security rating system for evaluating third-party Actions based on multiple criteria such as vulnerable dependencies, licensing, maintenance activity, popularity, and security policies. GitHub Actions Advisor empowers organizations to make informed decisions about the use of third-party Actions, mitigating the risk of using insecure or abandoned components in CI/CD pipelines. This feature is freely available to everyone to make informed decisions. https://app.stepsecurity.io/action-advisor  

We also discussed how StepSecurity maintained Actions offer secure alternatives to risky third-party GitHub Actions for StepSecurity enterprise customers. StepSecurity forks and maintains risky third-party Actions with low scores or abandonment issues, ensuring continuous updates, security enhancements, and adherence to best practices. StepSecurity customers can request StepSecurity to onboard Actions they would like to use. As StepSecurity offers a curated selection of maintained Actions, organizations can streamline the process of selecting and using secure components in their workflows.

Q&A from the Webinar

Q: How do you make sure that Harden-Runner does not break my workflow runs? What if your backend goes down?

A: For GitHub hosted runners, Harden-Runner action is added as a step in the workflow. The Harden-Runner agent does send telemetry back to the StepSecurity backend. However, the agent is architected in such a way that even if the backend is unreachable, it won’t fail the workflow run. We have a similar architecture for self-hosted runners as well.

‍

Q: Would StepSecurity continue to maintain abandoned Actions as well?

A: Yes, once an Action has been onboarded as a StepSecurity maintained Action, StepSecurity will continue to maintain it even if the original Action has been abandoned by the maintainers.

Q: How do you balance the need for pinning Actions with security risks and review overhead?

A: With Step Security maintained Actions, manual pinning to specific commits is unnecessary, as each action undergoes thorough review and ongoing maintenance by StepSecurity. In addition, StepSecurity has a secure automated Actions release process that complies with SLSA level 3 requirements.

Q: Can you provide practical tips for using your rating system to improve overall security for existing Actions?

A: Our system identifies Actions with low scores, enabling organizations to gradually migrate to Step Security Maintained Actions. By replacing low-scoring Actions one at a time, enterprises can incrementally improve Actions security without impacting developer productivity.

Q: Will StepSecurity extend its support to internally developed or private Actions?

A: Insights from Harden-Runner can be provided for internally developed Actions. However, GitHub Actions Advisor requires access to the Action repository. As StepSecurity GitHub app does not have access to source code, the feature does not currently work for internally developed Actions.

Conclusion

Securing third-party GitHub Actions is of utmost importance to keep your organization safe from supply chain attacks. If you would like to improve your third-party Actions governance process, we highly recommend you checkout the StepSecurity platform.

https://app.stepsecurity.io/login