It will aim to provide guidance on configuring and utilising GitHub Actions securely.
What security issues are commonly encountered related to this area?
Github Actions security is needed to prevent supply chain attacks. GitHub Action injection attacks are also common, which can result in unauthorised code execution, modifying release packages, disclosure of secrets, etc.
What is the objective of the Cheat Sheet?
It will provide a comprehensive guide for developers and security practitioners with best practices and considerations for securing GitHub Actions workflows.
What other resources exist in this area?
There is an official hardening guide from Github. Even though it provides lots of guidance, there might be some additional things like whitelisting actions, using custom deployment protection rules, not using pull_request_target, etc. Also, to enable community support, it will be good to have an open-source guideline so that additional things can be added by the community.
What is the proposed Cheat Sheet about?
It will aim to provide guidance on configuring and utilising GitHub Actions securely.
What security issues are commonly encountered related to this area?
Github Actions security is needed to prevent supply chain attacks. GitHub Action injection attacks are also common, which can result in unauthorised code execution, modifying release packages, disclosure of secrets, etc.
What is the objective of the Cheat Sheet?
It will provide a comprehensive guide for developers and security practitioners with best practices and considerations for securing GitHub Actions workflows.
What other resources exist in this area?
There is an official hardening guide from Github. Even though it provides lots of guidance, there might be some additional things like whitelisting actions, using custom deployment protection rules, not using pull_request_target, etc. Also, to enable community support, it will be good to have an open-source guideline so that additional things can be added by the community.