GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions
policy name: all_github_actions_are_allowed
severity: MEDIUM
Description
It is recommended to only use GitHub Actions by Marketplace verified creators or explicitly trusted actions. By not restricting which actions are permitted, developers may use actions that were not audited and may be malicious, thus exposing your pipeline to supply chain attacks.
Threat Example(s)
- Attacker creates a repository with a tempting but malicious custom GitHub Action
- An innocent developer / DevOps engineer uses this malicious action
- The malicious action has access to the developer repository and could steal its secrets or modify its content
Remediation
- Make sure you have admin permissions
- Go to the org’s settings page
- Enter ‘Actions - General’ tab
- Under ‘Policies’, Select ‘Allow enterprise, and select non-enterprise, actions and reusable workflows’
- Check ‘Allow actions created by GitHub’ and ‘Allow actions by Marketplace verified creators’
- Set any other used trusted actions under ‘Allow specified actions and reusable workflows’
- Click ‘Save’