The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.
翻译:对快速和可靠的DevOps业务的需求促使存储器平台的分销商实施工作流程。工作流程使得存储器主机的代码管理业务直接自动化,然而,这一功能还引入了直接影响存储器、其内容和所有软件供应链的安全问题,因此,对脆弱工作流程的利用可能会对大型软件生态系统产生破坏性的影响。为了从经验上评估这一问题的重要性,我们在本文件中侧重于 de-facto主要分销商(即GitHub),我们为GitHub Action工作流程开发了一种安全评估方法,该方法被软件供应链广泛采用。我们用一种工具(GHAST)应用了这种方法,并将其应用于50个开放源项目。实验结果令人担忧,因为通过这些方法可以查明总共24,905个安全问题(全部报告给相应的利益攸关方),从而表明这一问题是公开的,需要进一步研究。