Automate GitHub Actions Security Best Practices
Save time and effort in securing your GitHub Actions workflows
What are GitHub Actions?
GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform. With GitHub Actions, developers can define a set of tasks to run when they push code to GitHub. GitHub Actions is free for GitHub-hosted runners in public repositories. GitHub Actions is also flexible, allowing developers to customize their workflows to fit their needs. As a result, GitHub Actions has become a popular tool for developers to improve their productivity.
Why is it essential to secure your GitHub Actions workflows?
GitHub Actions workflows used for continuous deployments have privileged credentials. Also, at the start of each workflow run, GitHub creates a unique GITHUB_TOKEN for your workflow runs. If these credentials get compromised, an attacker can tamper with repository content, releases, and packages. This can lead to a software supply chain attack and compromise of production systems.
What are the critical GitHub Actions Security Best Practices?
1. Set minimum GITHUB_TOKEN permissions
The GITHUB_TOKEN is made available to each job to authenticate to the GitHub API. To limit the damage if this token gets compromised, set the least permissions for the GITHUB_TOKEN based on the job’s needs.
2. Pin Actions to a full-length commit SHA
GitHub Action tags are mutable, which poses a security risk. If the tag changes, you will not have a chance to review it before it gets used. To mitigate this risk, consider pinning Actions to a full-length commit SHA.
3. Keep GitHub Actions up to date
Like other dependencies, GitHub Actions receive security updates. Configure a dependency update tool, such as Dependabot, to update GitHub Actions to their latest version.
4. Harden GitHub Action runners
During a pipeline run, several dependencies and build tools get downloaded. If one of these dependencies is malicious, it can exfiltrate credentials from the runner or tamper with the release build. To mitigate this risk, use the Harden-Runner GitHub Action. Harden-Runner GitHub Action, works for GitHub-Hosted and Actions Runner Controller (ARC) runners, and enables setting a policy to restrict outbound network calls to an allowed list. It also detects tampering of source code during the build process.
5. Use OpenID Connect (OIDC) to access cloud resources
Several cloud providers, such as AWS, GCP, and Azure, support OpenID Connect (OIDC). To deploy to a cloud provider that supports OIDC, you can configure your workflows to authenticate directly to the cloud provider. OIDC removes the need to store long-lived cloud credentials as GitHub secrets.
How to automate GitHub Actions Security Best Practices?
While you can apply these best practices manually, it can be cumbersome, time-consuming, and error-prone.
StepSecurity’s Secure-Repo open-source project automates the steps of applying these best practices. It takes a workflow (YAML file) as input and transforms it to use the GitHub Actions security best practices.
You can use a hosted instance for public repositories at https://app.stepsecurity.io. Using this, you can create a pull request with the best practices applied for all workflows in your public GitHub repository. You don’t need to install any GitHub App to use it.
- You specify a public GitHub repository URL and click on
Analyze
. - SecureWorkflows fetches all the workflow files for your repository, analyzes them, and shows a list of remediations.
- You select the remediations you want and click on
Create a pull request
. A pull request is created with the security best practices.
Example Pull requests from popular projects
Here are three examples from popular open-source projects that applied GitHub Actions security best practices using SecureWorkflows:
- Electron: Electron is used to build desktop apps with JavaScript, HTML, and CSS
https://github.com/electron/electron/pull/36343
In this pull request, created using SecureWorkflows, the workflow file has the GitHub Actions tags pinned automatically to their full-length commit SHA.
2. Kubernetes-ingress: NGINX Ingress Controllers for Kubernetes
https://github.com/nginxinc/kubernetes-ingress/pull/3134
In this pull request, minimum permissions are set automatically for the GITHUB_TOKEN
3. Attrs: Attrs enables writing Python classes
https://github.com/python-attrs/attrs/pull/1034
This pull request adds the Harden Runner GitHub Action to the workflow file.
Summary
Thousands of open-source projects use GitHub Actions. It is vital to secure GitHub Actions workflows to prevent software supply chain attacks. Following security best practices for GitHub Actions workflows can be cumbersome and time-consuming. Many open-source projects have saved time and effort by using Secure-Repo. To apply GitHub Actions security best practices to your public repositories, use the hosted instance at https://app.stepsecurity.io.
For a comprehensive GitHub Actions Security Platform for the enterprise,
check out https://www.stepsecurity.io
Resources
[1] Understanding GitHub Actions
https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions
[2] Usage limits, billing, and administration
https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration
[3] Automatic token authentication
[4] Security hardening for GitHub Actions
[5] Harden Runner GitHub Action
https://github.com/step-security/harden-runner
[6] StepSecurity SecureWorkflows project
https://github.com/step-security/secure-workflows
[7] A hosted instance of SecureWorkflows project for public repositories