GitHub Actions Security
TL;DR
It’s more secure to reference GitHub Actions written by others by referring to the commit hash of the code than the version. Particularly if the action requires access to a secret credential. For example:
upload-codecov.yml
steps:
- uses: actions/checkout@main
- uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }} # required…is more safely referenced like below:
upload-codecov.yml
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # sha for v4.1.7
- uses: codecov/codecov-action@af2ee03a4e3e11499d866845a1e6c5a11f85cf4e # sha v4.5.0
with:
token: ${{ secrets.CODECOV_TOKEN }} # requiredBackground
- Open source projects have been subject to a number of social engineering attacks recently.
- This blog post describes risk in relying on GitHub Actions written by others.
The Risk in Plain English
- Developers use GitHub Actions to conveniently automate various tasks. These Actions are often written and maintained by helpful members of the open-source community.
- Some of these Actions require access to secret credentials, for example to publish code to services in the cloud.
- Many of these Actions are widely adopted in the open source community, handling thousands of secrets every day. Developers consider the wide adoption of an Action when deciding whether to trust it.
- There is a risk that bad actors could gain access to an Action’s code by placing pressure upon the package maintainers.
- Once a bad actor has access to this code, they are able to adjust the code associated with the version reference, to do something nefarious, such as harvest secret credentials.
- Updating workflow files to reference the Actions by commit hash guarantees that this code can be trusted to ‘do what it says on the tin’ in the future. Bad actors are unable to create new code that has the same commit reference code (known as SHA, short for Simple Hashing Algorithm).
Updating Your Workflow Files
The layout of the GitHub user interface is liable to change.
- Find the Action that you wish to use on GitHub and click on its banner to navigate to the Action’s homepage.
- Ensure that you have identified the correct Action by checking the author and the number of stars. Click on the link shown to navigate to the Action’s repository.
- Consult the readme and releases section to identify the latest version of the Action. Ensure that the appropriate branch is selected from the branch selector widget.
- Once you have selected the appropriate branch for the latest release, click on the commits section.
- From the list of commits, select the commit associated with the latest release and click the copy button to copy the full commit SHA reference to your clipboard.
- Replace the version reference in your workflow file with your copied commit reference.
Likelihood and Severity
The likelihood of this risk is debatable, but it is not zero.
The community of developers would likely pick up on such an event quickly and many of the targeted Action’s users would benefit from this awareness before any damage could be wrought. But why would you roll the dice? It may be equally possible that you and your colleagues may not realise this event has occurred before it was too late to intervene.
The severity of such an event would relate to the nature of the targeted Action. If said Action intercepted cloud service credentials, such as those required for deployment to GCP, AWS and the like, then the severity could be high. Whereas targeting widely used Actions such as the checkout Action would present differing severities for public or private repositories that use it.
As the effort needed to mitigate this risk is very small, I would encourage GitHub Actions users to consider updating all repositories that make use of such Actions for their continuous deployment workflows. In support of this suggested mitigation, here you can see that the well-known python package numpy have adopted this approach.
Acknowledgements
Thanks to Mat for the conversation about recent bad actor efforts on various well-known open source repositories.
fin!