Optimize the Security of Your Workflows in GitHub Actions Using CodeQL

In recent months, significant progress has been made in identifying and mitigating vulnerabilities in GitHub Actions, securing over 75 workflows in open source projects and uncovering more than 90 distinct vulnerabilities. This research effort has led to the implementation of new support for workflows in CodeQL, a tool aimed at helping developers protect their projects more effectively.

Through a series of articles focused on maintaining the security of workflows in GitHub Actions, common vulnerabilities and strategies to address them have been highlighted. Despite these informative warnings, vulnerabilities persist, a situation largely attributed to a lack of understanding of the interaction between different software components and the impact these vulnerabilities can have on organizations or repositories.

To reduce the introduction of new vulnerabilities and assist in identifying and correcting existing ones, support for CodeQL has been added to GitHub Actions. This package allows scanning of both existing and new workflows, and since code scanning and Copilot Autofix are free for open source repositories, all public GitHub repositories can benefit from these new queries, improving vulnerability detection and remediation.

Development has included adding new capabilities to CodeQL, such as pollution tracking and support for Bash, which is crucial as Bash scripts are widely used in GitHub workflows. Pollution tracking, for example, helps discern when untrusted data is introduced into a script, which can lead to code injections.

Furthermore, a comprehensive analysis of third-party actions has been conducted, identifying 62 sources, 129 summaries, and 2,199 containers with vulnerabilities. This analysis has led to 18 new queries that not only focus on code injection but also address issues like excessive exposure of secrets and injection of environment variables.

Recently, tests were conducted on thousands of open source projects to validate the accuracy and performance of these new queries, yielding positive results that have enabled the identification and reporting of vulnerabilities in critical organizations such as Microsoft, GitHub, Adobe, and Apache.

With these new tools and techniques, developers are expected to have greater capability to protect their workflows on GitHub and prevent attacks on the open source software supply chain, benefiting the entire developer community. Interested repositories are now able to enable action analysis in their configurations to take advantage of this new security capability.

Source: MiMub in Spanish

Scroll to Top
×