Report Surfaces Thousands of Potential Vulnerabilities in GitHub Workflows

Security management protocols lacking

“An analysis of 2.5 million GitHub Actions workflow files belonging to 553,000 organizations and personal users published today suggests many DevSecOps teams that use the GitHub continuous integration/continuous deliver (CI/CD) platform to build and deploy applications are relying on workflows that are often fundamentally insecure.

Published by Legit Security, a provider of a platform for managing application security posture, the report uncovered interpolation of untrusted input in more than 7,000 workflows; execution of untrusted code in over 2,500 workflows; and use of untrustworthy artifacts in 3,000-plus workflows.

Additionally, 98% of references used by jobs and steps do not follow the best practice of dependency pinning while 86% of workflows do not limit token permissions.”

https://devops.com/report-surfaces-thousands-of-potential-vulnerabilities-in-github-workflows/

Software supply chain issues pose huge problems for all kinds of software packages and operating systems. That’s where DevOps comes in, to provide a set of practices and tools as methodology in improving, streamlining, and securing software development and output.