Learning More about Security of Github Actions Part 2

Gupta Bless
5 min readMay 26, 2024
Photo by Richy Great on Unsplash

We covered the value of Github actions and various methods to make it more secure in my earlier blog post. There are further ways, nevertheless, that we can make it safer. We can go over them individually.

Don’t reference directly values that we can not control

There are a few key areas in Github actions where values can be supplied from other sources; nevertheless, these might lead to injection attacks or accidental workflow manipulation if the user isn’t cautious.

Consider the following scenario: we are using GitHub as an input source in one of our activities, as demonstrated below.

- name: Run a command by taking inputs from user

run: echo “Hello, ${{ github.event.inputs.user }}”

Without enough sanitization, an attacker might introduce malicious code into this github.event.inputs.userName input. For example, the attacker can gain access to more privileges and execute instructions on a server that they do not have authorization to.

The user should always sanitize input before using it to reduce the risk of this vulnerability. In that case, we can clean inputs using either the in-built routines or our own scripts. You should always use “env” when dealing with…

--

--