Skip to content

All GitHub Actions are allowed to run

Checks for GitHub organizations that allow all GitHub Actions to run without any restriction.

Allowing GitHub Action Workflows to declare jobs with steps based on untrusted 3rd party actions is a security risk. A Continuous Integration (CI) system, such as GitHub Action, should be designed and configured as securely as production systems. In fact, since built artifacts coming out of such system are often deployed automatically (CD / Continuous Deployment) any compromise of CI/CD will indirectly affect production as malicious code can end up in production.

Examples

Insecure Example

Insecure GitHub Action Configuration

Secure Example

Secure GitHub Action Configuration