While developers rushed to build their next big feature, a critical vulnerability in tj-actions/changed-files lurked in plain sight, potentially exposing secrets to attackers worldwide. Versions up to 45.0.7 contained malicious updateFeatures code that could allow remote attackers to discover secrets by simply reading action logs. Talk about a security nightmare.
This isn’t just some minor bug. We’re talking high confidentiality impact with zero user interaction required. Remote attackers. Low complexity. The perfect storm for a security breach. Developers blindly trusting third-party actions might want to rethink that strategy.
The scariest part? Only 4.74% of custom GitHub Actions are created by verified users. Let that sink in. The rest? Who knows. Could be your friendly neighborhood developer or someone with more sinister intentions. And with 18% of actions harboring vulnerable dependencies, the odds aren’t exactly in your favor.
Trust the vast majority of GitHub Actions at your own risk—most are unverified and potentially compromised.
Most GitHub Actions are maintained by lone developers. One person. One set of eyes. One mistake away from compromising your entire build pipeline. The average OSSF security score sits at a measly 4.23 out of 10. Not exactly confidence-inspiring. Regular assessments help adapt to these evolving threats and strengthen your overall security posture.
Misconfigurations make everything worse. A staggering 98.4% of references lack dependency pinning, and 86% of workflows use overprivileged tokens. Might as well hand over the keys to your kingdom wrapped in a bow.
Thankfully, GitHub offers some protection: dependency graphs, Dependabot alerts, code scanning with CodeQL. But these tools only work if you actually use them. Novel concept, right?
The tj-actions vulnerability has been patched, but it raises a bigger question: how many other time bombs are ticking in your workflows? Without proper auditing, pinning to full-length commit SHAs, and implementing least privilege, you’re basically playing security roulette with your codebase. Even worse, attackers can bypass log redaction by using commands like echo ${SOME_SECRET:0:4} to exfiltrate portions of secrets piece by piece. Using GitHub Secrets is essential to prevent storing sensitive information in plain text where it could be easily compromised.
GitHub Actions are powerful. They’re also dangerous in the wrong hands. Or, apparently, in almost any hands.