The demand for quick and reliable DevOps operations pushed distributors of
repository platforms to implement workflows. Workflows allow automating code
management operations directly on the repository hosting the software. However,
this feature also introduces security issues that directly affect the
repository, its content, and all the software supply chains in which the hosted
code is involved in. Hence, an attack exploiting vulnerable workflows can
affect disruptively large software ecosystems. To empirically assess the
importance of this problem, in this paper, we focus on the de-facto main
distributor (i.e., GitHub), and we developed a security assessment methodology
for GitHub Actions workflows, which are widely adopted in software supply
chains. We implemented the methodology in a tool (GHAST) and applied it on 50
open-source projects. The experimental results are worrisome as they allowed
identifying a total of 24,905 security issues (all reported to the
corresponding stakeholders), thereby indicating that the problem is open and
demands further research and investigation.

By admin