- Resource Library
- White Papers
- The State of GitHub Actions Security
The State of GitHub Actions Security
Most GitHub Actions workflows are insecure in some way — they are overly privileged, have risky dependencies, etc. Legit research reveals that even projects from enterprises like Google and Apache are flawed.
In addition, the GitHub Actions marketplace security posture is concerning. Most of the Actions there are not verified, maintained by one developer, and have low security scores based on OpenSSF Scorecard.
Why does this matter?
GitHub Actions security is an important aspect of open-source security. Insecure GitHub Actions could allow attackers to compromise open-source and initiate supply chain attacks or use them as an initial attack vector into organizations that use GitHub.
Download The State of GitHub Actions Security – based on an analysis of 2,500,000 GitHub Actions workflow files – to understand:
- GitHub Actions and how they work
- The GitHub Actions attack surface
- Risks and mitigations when writing GitHub Actions
- Risks when using GitHub Custom Actions
Download White Paper
“We’re now able to inventory all our SDLC systems and security tools, view developer activity, and detect and remediate vulnerabilities across them fast.”
Head of DevSecOps
Pharmaceutical Company
“Legit helps us secure our CI/CD pipelines including tracking the security posture of our different teams and workspaces, addressing SDLC configuration drifts, and helping us apply security resources where it can help us most.”
VP of Security
Online Auction Marketplace
“Legit Security’s platform visualizes and analyzes our software pipelines quickly to help ensure security compliance with regulatory frameworks, as well as the unique compliance requirements of some of our large financial services partners.”
Principal Engineer
Financial Services
“Legit is providing us with visibility across the entire supply chain, which helps us minimize risk and raise analyst productivity.”
Deputy Chief Information Security Officer
Enterprise Software Vendor
"Using Legit we immediately got a very clear status of the security posture in our pipelines, and saw where we needed to focus to improve our security."
IT Security Lead
Financial Services
Schedule a Demo
Book a 30 minute demo including the option to analyze your own software supply chain, if desired.