This chapter covers
- Writing secure action workflows
- Securing the actions used in workflows
- Adding supply chain security
- Enabling Dependabot for dependency scanning
- Enabling code scanning with CodeQL
This chapter shares best practices to ensure you use actions and workflows in a safe and secure way. In the chapter, we will describe problems commonly encountered when using actions as well as how you can deal with them. We start this chapter with some basic security bugs you need to be aware of and how your team or organization can avoid them. The second part of the chapter covers how to ensure you are doing all you can to deliver software that is secure as a result of the automation process.
10.1 Preventing pwn requests
GitHub workflows can be activated by a diverse range of repository events, which encompass those tied to incoming pull requests (PRs). A potential hazard lies in the misuse of the pull_request_target workflow trigger, as it can allow malicious PR authors (i.e., attackers) to gain access to repository write permissions or steal repository secrets. This type of attack is known as a pwn request.
Automated handling of PRs from external forks carries inherent risk. Such PRs should be treated as untrusted inputs. Dealing with untrusted PRs, this automated behavior can leave your repository vulnerable to exploitation if not handled cautiously.