How to Harden GitHub Actions: The Unofficial Guide

Summary

Over the past three years, researchers have highlighted the risks associated with GitHub Actions. These threats became manifest with two recent incidents. First, last December brought a supply chain attack where attackers exploited a vulnerable GitHub Actions workflow to introduce an XMRig cryptominer to deployment versions of the Ultralytics Python package. Then, in March, we had the “tj-actions" incident. The attacker in this incident took advantage of multiple common anti-patterns associated with GitHub Actions and clearly leveraged the existing research literature to inform their tactics. An in-depth analysis of that incident is available in our blog posts: As a short recap: A vulnerability in spotbugs/sonar-findbugs allowed an attacker to compromise the Personal Access Token (PAT) of a Spotbugs contributor That compromised PAT was used to grant a temporary, malicious user spotbugs/spotbugs repository access The write access to spotbugs/spotbugs was used to push a malicious workflow to a branch, leaking the Github secrets – including the PAT of a mutual spotbugs and reviewdog contributor The reviewdog access was then used to briefly poison reviewdog/action-setup@v1, which allowed the attacker to further compromise a tj-actions PAT The tj-actions access was used first to target Coinbase (unsuccessfully), and was then burned with a broad attack that changed all tj-actions versions to include malicious code In the follow up to this incident, we know many organizations are investing in reviewing and hardening their GitHub Actions posture. We hope this guide serves as a cheat sheet for this complicated landscape, complementing Github’s first party guidance. GitHub Actions: Essential Terminology Based on data from Cardoen, G., Mens, T., & Decan, A. (2024). A dataset of GitHub Actions workflow historiesIt’s important to establish the key terms relevant to this domain: GitHub Actions: A suite of automation features within GitHub that lets you automate tasks in your soft...