Four tips to keep your GitHub Actions workflows secure

GitHub Actions, a popular automation platform, has been identified as a target for code injection vulnerabilities, particularly within open-source projects hosted on GitHub. Research conducted by teams from Purdue University and North Carolina State University, presented at the Usenix Security Conference 2023, uncovered several such vulnerabilities in GitHub Actions workflows. The researchers collaborated with the GitHub Security Lab to verify these vulnerabilities and offer guidance on reporting them. A key vulnerability involves the misuse of GitHub Actions' expression evaluation, which can lead to command injection if user-controlled inputs are not properly handled. To mitigate these risks, it is recommended to use intermediate environment variables for untrusted inputs, enable code scanning for workflows, and adhere to the principle of least privilege by adjusting permission settings for workflow tokens. Additionally, enabling Private Vulnerability Reporting (PVR) facilitates secure communication between security researchers and project maintainers. Despite GitHub's efforts to improve security, maintaining vigilance in workflow security practices is crucial to prevent exploitation.