Implementing an Internal GitHub Actions Marketplace with StepSecurity

Third-party GitHub Actions accelerate CI/CD pipeline development but pose significant supply chain risks for enterprises. Implementing an internal GitHub Actions marketplace with StepSecurity allows organizations to securely vet, approve, and maintain these Actions, balancing developer productivity with robust security standards.

Ashish Kurmi

October 30, 2024

Introduction

The rapid growth of reusable open-source GitHub Actions—now numbering over 20,000—has revolutionized how enterprises build their CI/CD pipelines. Developers can assemble these third-party Actions with appropriate parameters to create powerful workflows quickly. However, this abundance also introduces significant supply chain risks. How can organizations leverage the benefits of third-party GitHub Actions while maintaining robust security standards?

What Are Third-Party GitHub Actions?

Third-party GitHub Actions are reusable components developed and shared by the GitHub community—including Fortune 500 companies like Google and Amazon, as well as individual hobby developers. By referencing these open-source repositories, any GitHub Actions CI/CD workflow can use these Actions, streamlining development processes.

Key Risks with Third-Party GitHub Actions

While the convenience of third-party Actions is undeniable, their use introduces several significant risks:

Introduction of Vulnerabilities: Unvetted Actions may contain vulnerabilities that can be exploited.

Compromise of Admin Credentials: Actions often have access to sensitive credentials, posing a risk if the Action is malicious or compromised.

Production of Tampered Software Builds: Malicious Actions can alter build processes, leading to the deployment of compromised software.

For instance, imagine an organization unknowingly incorporates a Action maintained by a hobby developer who is later compromised by a threat actor and introduces a backdoor in the Action. This will lead to a breach of sensitive enterprise data/secrets. If this Action is used in a software build CI/CD pipeline and this software gets shipped to their customers, this can result in the compromise of all of their customers as well.

The Dilemma for Security and DevOps Teams

Many core and popular open-source Actions come from individual developers who may lack the resources to maintain them securely. Security and DevOps teams face a tough choice:

Allow Risky Third-Party Actions: Accept the security risks associated with these Actions to maintain developer productivity.

Deny Risky Third-Party Actions: Hamper developer productivity and velocity by restricting the use of these Actions.

Choosing the first option may expose the organization to vulnerabilities and potential breaches. The second option could slow development cycles, making staying competitive in a fast-paced market harder. Neither choice is ideal.

Solution: Implementing an Internal GitHub Actions Marketplace

Enterprises can resolve this dilemma by creating and maintaining an Internal GitHub Actions Marketplace. This marketplace provides a curated directory of vetted Actions that developers can use in their CI/CD pipelines, ensuring security without sacrificing productivity.

Graph depicting the relation between Developer team productivity and Internal Marketplace

How Does the Internal Actions Marketplace Work?

Vetting and Approval: Security and DevOps teams review and approve Actions before they are added to the marketplace.

Types of Actions Included:

Third-Party Actions from Reputable Vendors: Actions from organizations like GitHub, Amazon, and approved security vendors.

Third-Party Actions Meeting Security Requirements: Actions that pass rigorous security assessments.

First-Party Actions: Internal Actions developed by the enterprise, including forked versions of external Actions for better supply chain control.

Controlled Access: Developers can only use Actions from the Internal Marketplace in their GitHub Action workflows, ensuring that all components meet the organization's security standards.

By implementing this marketplace, enterprises can:

Maintain Security: Only vetted and approved Actions are used, reducing the risk of vulnerabilities.

Enhance Productivity: Developers have access to a wide range of Actions without security concerns.

Control the Supply Chain: The organization maintains oversight of all Actions in use.

	Traditional Approach	Internal Actions Marketplace
Security Risk	High	Low
Developer Productivity	High	High
Maintenance Effort	Low	High
Supply Chain Control	Low	High
Workflow Standardization	Low	High

Challenges with Building a Custom Internal Actions Marketplace

While the concept is sound, building and maintaining such a marketplace presents challenges:

Maintenance of Forked Third-Party Actions: Forked Actions can quickly fall behind the upstream repository, accumulating security issues if not diligently maintained.

Security Review of Third-Party Actions: Conducting objective and consistent security assessments can be difficult, leading to inconsistent approval decisions.

Risk Visibility into First-Party Actions: Traditional application security tools offer limited insights into the risks posed by Actions.

StepSecurity's Internal GitHub Actions Marketplace Solution

StepSecurity offers a comprehensive GitHub Actions security platform tailored to address these challenges. Our Internal GitHub Actions Marketplace is a SaaS solution that requires minimal operational overhead from enterprises.

Security and DevOps teams' Challenges resolved by the StepSecurity Internal GitHub Actions Marketplace

Key Features of StepSecurity's Internal GitHub Actions Marketplace

Actions Inventory

To get insights into the GitHub Actions used in your repositories, navigate to the Actions section in the StepSecurity dashboard. Here, you can find:

The name of each Action.

The Action Security Score.

The Repositories using that particular Action.

List of GitHub Actions in use in an organization

‍

GitHub Actions Advisor

This page helps you assess the security score of any GitHub Action used in your workflows and this security scores are graded by OpenSSF Scorecard.

In addition, the it also provides visibility into outbound network connections from these Actions.

‍

StepSecurity Maintained Action

If an enterprise finds an action to be risky, it can request StepSecurity to create a clone, apply security best practices, and maintain it so that the developers can use a secure alternative instead. This solves the dilemma for security and DevOps teams that we have described above. Security and DevOps teams can be assured that all the Actions in use in the enterprise environment are safe without impacting developer productivity. Furthermore, it eliminates the need for enterprises to fork, clone, and maintain third-party Actions in their own environment.

Follow this interactive demo to see how to request a maintained action:

Compromised Actions Policy

The Compromised Actions Policy prevents the use of known malicious or compromised GitHub Actions in workflows. It scans for references to actions flagged as security risks and blocks their execution to protect your environment.

Follow this interactive demo to explore this feature:

Allowed Actions Policy

Use this policy to enforce an allowlist of GitHub Actions.

Follow this interactive demo to explore this feature:

By leveraging StepSecurity's solution, enterprises can overcome the challenges of building a custom internal Actions marketplace. Our platform automates maintenance, provides consistent security assessments, and offers unparalleled visibility into Action risks.

Why Choose StepSecurity?

Unlike traditional security tools that offer limited visibility into GitHub Actions, StepSecurity provides a comprehensive platform designed specifically for the unique needs of CI/CD workflows. We help organizations secure their pipelines without compromising on speed or innovation.

If you would like to create an Internal Actions Marketplace for your organization, please get in touch with using the Contact us page.