Full Report
Recent attacks on open source focus on exfiltrating secrets; here are the prevention steps you can take today, plus a look at the security capabilities GitHub is working on. The post Securing the open source supply chain across GitHub appeared first on The GitHub Blog.
Analysis Summary
# Best Practices: Securing GitHub Actions & Open Source Supply Chains
## Overview
These practices address the growing trend of "exfiltration attacks" where adversaries target GitHub Actions workflows to steal secrets (API keys, tokens). These stolen credentials are then used to publish malicious packages to repositories like npm, PyPI, and RubyGems, further propagating the supply chain attack.
## Key Recommendations
### Immediate Actions
1. **Enable CodeQL for Actions:** Use CodeQL’s built-in queries to scan your GitHub Actions workflow files (`.github/workflows/`) for security misconfigurations.
2. **Pin Actions to Commit SHAs:** Replace version tags (e.g., `v1`) with full-length commit SHAs (e.g., `3d6a2...`) to prevent "tag floating" attacks where a compromised third-party action is updated under an existing tag.
3. **Audit Trigger Events:** Avoid using the `pull_request_target` trigger unless strictly necessary, as it grants elevated permissions to code from potentially malicious forks.
4. **Activate Dependabot Malware Alerts:** Enable Dependabot on public and private repositories to receive immediate notifications when a dependency is flagged as malicious in the GitHub Advisory Database.
### Short-term Improvements (1-3 months)
1. **Implement Trusted Publishing:** Eliminate long-lived secrets (like npm tokens) from your build environment. Migrate to **OpenID Connect (OIDC)** to authorize deployments to package managers (npm, PyPI, RubyGems, etc.) via workload identity.
2. **Sanitize User Input:** Audit all workflows for potential **script injection** vulnerabilities, specifically where `github.event` data or other user-submitted content is referenced in `run` steps.
3. **Review Secret Storage:** Identify any hard-coded secrets or legacy tokens and move them to GitHub Secrets, or better yet, replace them with OIDC-based identity.
### Long-term Strategy (3+ months)
1. **Adopt "Secure by Default" Defaults:** Align with GitHub’s 2026 security roadmap by implementing internal policy controls that enforce OIDC and SHA-pinning across all organizational repositories.
2. **Monitor Deployment Signals:** Use the absence of Trusted Publishing as a security signal. If a dependency suddenly stops using OIDC for publishing, treat it as a high-risk indicator of potential maintainer account compromise.
3. **Continuous Policy Review:** Participate in GitHub Community discussions to stay ahead of the evolving Actions security roadmap and upcoming backward-incompatible security hardening changes.
## Implementation Guidance
### For Small Organizations
- Focus on automation: Turn on Dependabot and CodeQL immediately.
- Use the standard "Trusted Publishing" setups for your specific language (e.g., the PyPI-provided GitHub Action).
### For Medium Organizations
- Centralize workflow templates to ensure all internal projects use SHA-pinned actions.
- Establish a "suspicious PR" review process: Check any pull request that modifies workflow files or dependency SHAs with extra scrutiny.
### For Large Enterprises
- Enforce OIDC across the entire cloud footprint to remove long-lived secrets globally.
- Use GitHub’s policy engine to block workflows that don't meet security criteria (e.g., those using `pull_request_target` on external PRs).
## Configuration Examples
### Pinning an Action via SHA
**Bad:**
yaml
- uses: actions/checkout@v4
**Good:**
yaml
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
### Script Injection Mitigation
**Bad:**
yaml
- name: Log message
run: echo "${{ github.event.issue.title }}"
**Good (using environment variables):**
yaml
- name: Log message
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
run: echo "$ISSUE_TITLE"
## Compliance Alignment
- **NIST SSDF (Software Supply Chain Security):** Directly addresses "Protect Software" and "Respond to Vulnerabilities" tasks.
- **OpenSSF Scorecard:** Many of these recommendations (SHA pinning, OIDC) are primary metrics for the OpenSSF Scorecard.
- **CIS GitHub Benchmark:** Aligns with recommendations for workflow permissions and secret management.
## Common Pitfalls to Avoid
- **Blindly trusting Dependabot PRs:** Ensure you verify the source of version updates, as attackers may attempt to push malicious SHAs via automated-looking PRs.
- **Over-privileged GITHUB_TOKEN:** Always define minimum permissions (e.g., `contents: read`) at the top of your workflow files.
- **Ignoring "Trusted Publishing" Signals:** Failing to investigate when a dependency switches from OIDC back to manual credential-based publishing.
## Resources
- **GitHub Documentation:** `docs.github[.]com/actions/reference/security/secure-use`
- **GitHub Advisory Database:** `github[.]com/advisories`
- **OpenSSF Trusted Publishing Blog:** `openssf[.]org/blog/2024/07/31/how-to-make-programming-language-package-repositories-more-secure/`
- **GitHub Roadmap Discussions:** `github[.]com/orgs/community/discussions/190621`