How to Use GitHub Actions with Security in Mind

Explore GitHub Actions security best practices in this NDC Security 2022 conference talk. Learn how to secure your CI/CD pipelines, manage access control, protect sensitive information, and mitigate potential vulnerabilities in your workflows. Discover techniques for safeguarding repository access, handling workflow secrets, and implementing protective measures for runners. Gain insights into managing fork-based security risks, staying up-to-date with action versions, and leveraging automation for enhanced security. Equip yourself with practical knowledge to strengthen your GitHub Actions security posture without compromising DevOps efficiency.

Intro
What are GitHub workflows?
What are GitHub Actions?
Workflow example
Repository security
Code - Who has access?
Configuring access
From the user
Workflow secrets
Who has access to your secrets?
Your code - Best practices
GitHub Actions Security
Best practice: Run the action inside of a container
Persisting data between runs
Workflow runners - Best practice
Verified Creator
Protective measures
Recommendation
Workflow attack vectors
Forks of public repos
Pull Requests
Common fields
Remediation
Forking actions
Staying up to date
Update action versions
Option 1: Use SHA+Dependabot
Use Dependabot
Keep your forked action up to date
Review before merging
Automation
Pros of forking
Best practices summarized