{"id":286899,"date":"2024-07-28T11:00:46","date_gmt":"2024-07-28T11:00:46","guid":{"rendered":"https:\/\/www.techopedia.com\/?p=286899"},"modified":"2024-07-28T11:00:45","modified_gmt":"2024-07-28T11:00:45","slug":"is-github-dying-a-slow-death","status":"publish","type":"post","link":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death","title":{"rendered":"Is GitHub Dying a Slow Death?"},"content":{"rendered":"<p><a href=\"https:\/\/www.techopedia.com\/definition\/github\">GitHub<\/a>, the <a href=\"https:\/\/www.techopedia.com\/definition\/3294\/open-source\">open-source<\/a> developers&#8217; paradise, is no longer what it used to be. After years of increasing calls that attackers are leveraging the platform to distribute and sneak in <a href=\"http:\/\/malware\" target=\"_blank\">malware<\/a>, a new report reached a shocking conclusion.<\/p>\n<p>The <strong>Legit Security<\/strong> report found that <a href=\"https:\/\/info.legitsecurity.com\/the-state-of-github-actions-security\" target=\"_blank\">most GitHub Actions are not created by verified users<\/a>, are not maintained, have <a href=\"https:\/\/www.techopedia.com\/definition\/13484\/vulnerability\">vulnerabilities<\/a>, and have very low-security scores.<\/p>\n<p>Roy Blit, Head of Research at Legit Security, spoke about the dangers that this represents for companies everywhere, in a <a href=\"https:\/\/www.legitsecurity.com\/press-releases\/the-state-of-github-actions-security\" target=\"_blank\">press release<\/a>.<\/p>\n<blockquote><p>&#8220;GitHub is an extremely popular platform. In fact, more than 100 million developers and over 90% of Fortune 100 companies use it.<\/p>\n<p>&nbsp;<\/p>\n<p>&#8220;However, despite its popularity, most GitHub Actions workflows are insecure in some way \u2014 from being overly privileged to having high-risk dependencies.<\/p>\n<p>&nbsp;<\/p>\n<p>&#8220;For instance, our past research found even projects from global enterprises like <strong>Google and Apache are flawed<\/strong>. These findings are alarming because GitHub Actions provide the key to critical infrastructure.<\/p>\n<p>&nbsp;<\/p>\n<p>&#8220;They are connected to an organization&#8217;s source code and their deployment environment, so once exploited, the organization is completely in the attacker&#8217;s hands.&#8221;<\/p><\/blockquote>\n<div class=\"su-note\"  style=\"border-color:#dddddd;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\"><div class=\"su-note-inner su-u-clearfix su-u-trim\" style=\"background-color:#f7f7f7;border-color:#ffffff;color:#333333;border-radius:3px;-moz-border-radius:3px;-webkit-border-radius:3px;\">\n<h2><span id=\"key_takeaways\">Key Takeaways<\/span><\/h2>\n<ul>\n<li>A new report suggests GitHub Actions pose a security risk \u2014 a large portion of GitHub Actions are not created by verified users, lack maintenance, and have vulnerabilities.<\/li>\n<li>The scale of the problem is significant, with worrying trends like untrusted code execution in thousands of workflows and insecure dependency management.<\/li>\n<li>While GitHub can improve platform security, developers must prioritize secure coding practices and utilize built-in security features within Actions.<\/li>\n<li>Alternatives exist, but due diligence is key. Exploring alternatives like GitLab or self-hosted options comes with its own security considerations.<\/li>\n<\/ul>\n<\/div><\/div>\n<div>\n    <section class=\"toc-sticky w-100 bg-white \">\n        <div class=\"toc-sticky__container container\">\n            <div class=\"toc-sticky__open d-flex align-items-end\" data-bs-toggle=\"collapse\"\n                 aria-controls=\"multiCollapse1\"\n                 data-bs-target=\"#multiCollapse1\">\n                <button\n                        class=\"btn btn-primary collapse-action-btn p-1 rounded-circle\"\n                        type=\"button\"\n                >\n                    <i class=\"icon-chevron-up\"><\/i>\n                <\/button>\n                <span id=\"toc-current-title\" class=\"d-flex align-items-center\">\n                    Table of Contents\n                <\/span>\n                <span class=\"toc-main-title-permanent\">Table of Contents<\/span>\n            <\/div>\n            <div\n                    class=\"collapse my-3\"\n                    id=\"multiCollapse1\"\n            >\n                <ol class=\"StepProgress\">\n                                                                        <li class=\"StepProgress-item current\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"key_takeaways\"\n                               onclick=handleScrollToTitle(\"key_takeaways\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">Key Takeaways<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"stats_of_github_actions_beyond_expectations\"\n                               onclick=handleScrollToTitle(\"stats_of_github_actions_beyond_expectations\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">Stats of GitHub Actions 'Beyond Expectations'<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"github_resources_integrity_history_overshadowed\"\n                               onclick=handleScrollToTitle(\"github_resources_integrity_history_overshadowed\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">GitHub Resources' Integrity History Overshadowed<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"alternatives_for_developers_looking_to_play_pro_and_safe\"\n                               onclick=handleScrollToTitle(\"alternatives_for_developers_looking_to_play_pro_and_safe\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">Alternatives for Developers Looking to Play Pro and Safe<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                                                        <li class=\"StepProgress-item\">\n                                                <div class=\"StepProgress-item__group\">\n                            <a data-id=\"the_bottom_line\"\n                               onclick=handleScrollToTitle(\"the_bottom_line\")\n                               class=\"StepProgress-item__link\" data-level=\"2\">The Bottom Line<\/a>\n                                                    <\/div>\n                                                <\/li>\n                                    <\/ol>\n                <div class=\"toc-sticky__container__disperse\"><\/div>\n                <div class=\"toc-sticky__btn-top justify-content-center\">\n                    <button class=\"btn btn-link d-flex align-items-center\" onclick={btnTop()}><p>Show Full Guide<\/p><img decoding=\"async\"\n                                src=\"\/wp-content\/plugins\/table-of-contents\/assets\/images\/arrow-up-circle.svg\"\n                                alt=\"arrow-up-circle\">\n                    <\/button>\n                <\/div>\n            <\/div>\n        <\/div>\n    <\/section>\n    <div class=\"toc-sticky-list\">\n        <div class=\"toc-sticky__container container\">\n            <div class=\"toc-sticky__open d-flex align-items-end\" data-bs-toggle=\"collapse\" aria-controls=\"multiCollapse2\" data-bs-target=\"#multiCollapse2\">\n                <button class=\"btn btn-primary collapse-action-btn p-1 rounded-circle\"\n                        type=\"button\">\n                    <i class=\"icon-chevron-up up\"><\/i>\n                <\/button>\n                <span id=\"toc-current-title\" class=\"d-flex align-items-center\">\n                    Table of Contents\n                <\/span>\n            <\/div>\n            <div  class=\"collapse my-3\" id=\"multiCollapse2\">\n                <ol class=\"StepProgress\">\n                    \t\t\t\t\t \t\t\t\t\t                                                     <li class=\"StepProgress-item current \">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"key_takeaways\"\n                                   onclick=handleScrollToTitle(\"key_takeaways\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">Key Takeaways<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t                                                     <li class=\"StepProgress-item \">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"stats_of_github_actions_beyond_expectations\"\n                                   onclick=handleScrollToTitle(\"stats_of_github_actions_beyond_expectations\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">Stats of GitHub Actions 'Beyond Expectations'<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t                                                     <li class=\"StepProgress-item \">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"github_resources_integrity_history_overshadowed\"\n                                   onclick=handleScrollToTitle(\"github_resources_integrity_history_overshadowed\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">GitHub Resources' Integrity History Overshadowed<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t\n\t\t\t\t\t\t <span class=\"show_moretoc\">Show Full Guide<\/span>\n\t\t\t\t\t\t \t\t\t\t\t \t\t\t\t\t\t  \t\t\t\t\t                                                      <li class=\"StepProgress-item ms_hidetoc\">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"alternatives_for_developers_looking_to_play_pro_and_safe\"\n                                   onclick=handleScrollToTitle(\"alternatives_for_developers_looking_to_play_pro_and_safe\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">Alternatives for Developers Looking to Play Pro and Safe<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                    \t\t\t\t\t \t\t\t\t\t \t\t\t\t\t\t  \t\t\t\t\t                                                      <li class=\"StepProgress-item ms_hidetoc\">\n                                                    <div class=\"StepProgress-item__group\">\n                                <a data-id=\"the_bottom_line\"\n                                   onclick=handleScrollToTitle(\"the_bottom_line\")\n                                   class=\"StepProgress-item__link\"\n                                   data-level=\"2\">The Bottom Line<\/a>\n                                                            <\/div>\n                                                    <\/li>\n                                    <\/ol>\n            <\/div>\n            <div class=\"toc-sticky__container__disperse\"><\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n<script id=\"toc-js\">\n    window.addEventListener(\"DOMContentLoaded\", () => {\n        const header = document.querySelector(\".header_wrapper\");\n\n        const pageLegend = document.querySelector('#multiCollapse1');\n        const pageLegendList = document.querySelector('#multiCollapse2');\n        const pageLegendCollapse = new bootstrap.Collapse(pageLegend, {toggle: document.querySelector(\".toc-sticky\").classList.contains('sticky')});\n\n        \/**\n         * Changing current title\n         *\/\n        (function (pageLegend) {\n            const titleNodes = pageLegend.querySelectorAll('.StepProgress-item__link');\n\n            if (!titleNodes.length) return;\n\n            const titles = [...titleNodes].map((itm, i) => ({\n                id: itm.getAttribute('data-id'),\n                text: itm.textContent,\n                level: itm.getAttribute('data-level'),\n                linkNode: itm,\n                titleNode: document.getElementById(itm.getAttribute('data-id')),\n                index: i,\n            }));\n\n            \/**\n             * Source: https:\/\/www.sitepoint.com\/throttle-scroll-events\/\n             * @param {Function} fn\n             * @param {number} wait\n             * @returns {(function(): void)|*}\n             *\/\n            const throttle = (fn, wait) => {\n                let time = Date.now();\n                return function () {\n                    if ((time + wait - Date.now()) < 0) {\n                        fn();\n                        time = Date.now();\n                    }\n                }\n            }\n\n            const changeCurrentTitle = () => {\n                const documentScrollTop = window.pageYOffset || document.documentElement.scrollTop || document.body.scrollTop || 0;\n                let current = 0;\n\n                \/\/ Title\n                titles.forEach((itm, i) => {\n\t\t\t\t\/\/console.log(itm)\n                    const itmOffsetTop = itm.titleNode ? itm.titleNode.offsetTop - 100 : 0;\n\n                    if (documentScrollTop >= itmOffsetTop) {\n                        document.getElementById('toc-current-title').innerHTML = itm.text;\n                        document.getElementById('toc-current-title').setAttribute('data-current-id', itm.id);\n                        document.getElementById('toc-current-title').setAttribute('data-current-level', itm.level);\n                        current = i;\n                    }\n                })\n\n                \/\/ close all list and open sub list if needed\n                if (document.querySelector(\".toc-sticky\").classList.contains('sticky')) {\n                    document.querySelectorAll('.subList-in-progress').forEach((el) => {\n                        el.children[1].classList.remove('show');\n                        el.getElementsByClassName('icon-chevron-down')[0].classList.remove('up');\n                    });\n                    const currentEl = titles[current];\n                    currentEl.linkNode.classList.add('show');\n                }\n\n                titles.forEach((itm, i) => {\n                    itm.linkNode.parentNode.parentNode.classList.remove('current', 'is-done');\n                    if (current > i) {\n                        itm.linkNode.parentNode.parentNode.classList.add('is-done')\n                    };\n                    if (current === i) {\n                      itm.linkNode.parentNode.parentNode.classList.add('current');\n                    };\n                })\n\n            }\n\n            changeCurrentTitle();\n\n            document.addEventListener('scroll', throttle(changeCurrentTitle, 50));\n        })(pageLegend);\n\n\n        \/**\n         *  Collapse\n         *\/\n        (function (pageLegend, header) {\n            const icon = pageLegend.parentNode.querySelector(\".collapse-action-btn i\");\n\n            const collapseToggle = (status) => (e) => {\n                if (!e.target.isEqualNode(pageLegend)) return;\n\n                icon.classList.toggle(\"up\");\n\n                const containerHeight = pageLegend.getBoundingClientRect().height;\n\n                const showSubtitleContent = () => {\n                    const currentId = document.getElementById('toc-current-title').getAttribute('data-current-id');\n                    const currentLevel = document.getElementById('toc-current-title').getAttribute('data-current-level');\n                    const currentSubTitle = currentLevel == 3 ? document.querySelector(`a[data-id=\"${currentId}\"]`).parentNode.parentNode.parentNode : false;\n\n                    if (!currentSubTitle) return;\n                    new bootstrap.Collapse(currentSubTitle, {toggle: false}).show();\n                }\n\n                showSubtitleContent();\n                if (status === 'shown' && document.querySelector(\".toc-sticky\").classList.contains('sticky') ) {\n                    document.querySelector('html').classList.remove('overflow-hidden');\n                    pageLegend.classList.add('overflow-auto');\n                    pageLegend.style.height = `calc(100vh - ${header.getBoundingClientRect().height + document.querySelector('.toc-sticky__open').getBoundingClientRect().height + 16}px)`;\n                } else if (status === 'hide') {\n                    document.querySelector('html').classList.remove('overflow-hidden');\n                    pageLegend.classList.remove('overflow-auto');\n                    pageLegend.style.height = 'auto';\n                }\n            }\n\n            pageLegend.addEventListener('shown.bs.collapse', collapseToggle('shown'));\n            pageLegend.addEventListener('hide.bs.collapse', collapseToggle('hide'));\n        })(pageLegend, header);\n\n        \/**\n         * Collapse sub-titles\n         *\/\n        (function (pageLegend) {\n            const collapseEls = pageLegend.querySelectorAll('.collapse');\n\n            collapseEls.forEach(function (el) {\n\n                const toggleArrowDirection = function (e) {\n                    if (!e.target.isEqualNode(el)) return;\n\n                    const id = this.getAttribute('id');\n                    document.querySelector(`.collapse-action-btn[data-bs-target=\"#${id}\"] .icon-chevron-down`).classList.toggle('up');\n                }\n                el.addEventListener('shown.bs.collapse', toggleArrowDirection);\n                el.addEventListener('hide.bs.collapse', toggleArrowDirection);\n            })\n        })(pageLegend);\n\n        \/**\n         *  Collapse main title\n         *\/\n        (function (pageLegendList) {\n            const icon = pageLegendList.parentNode.querySelector(\".collapse-action-btn i\");\n\n            const collapseToggle = () => (e) => {\n                if (!e.target.isEqualNode(pageLegendList)) return;\n\n                icon.classList.toggle(\"up\");\n\n            }\n            pageLegendList.addEventListener('shown.bs.collapse', collapseToggle());\n            pageLegendList.addEventListener('hide.bs.collapse', collapseToggle());\n        })(pageLegendList);\n\n        (function (pageLegendList) {\n            const collapseEls = pageLegendList.querySelectorAll('.collapse');\n\n            collapseEls.forEach(function (el) {\n\n                const toggleArrowDirection = function (e) {\n                    if (!e.target.isEqualNode(el)) return;\n\n                    const id = this.getAttribute('id');\n                    document.querySelector(`.toc-sticky-list .collapse-action-btn[data-bs-target=\"#${id}\"] .icon-chevron-down`).classList.toggle('up');\n                }\n                el.addEventListener('shown.bs.collapse', toggleArrowDirection);\n                el.addEventListener('hide.bs.collapse', toggleArrowDirection);\n            })\n        })(pageLegendList);\n\n        \/**\n         * Sticky functionality\n         * Source: https:\/\/stackoverflow.com\/questions\/17893771\/javascript-sticky-div-after-scroll\n         *\/\n        (function (header, pageLegendCollapse) {\n            \/\/ set everything outside the onscroll event (less work per scroll)\n            const target = document.querySelector(\".toc-sticky\");\n            const targetListStatic = document.querySelector(\".toc-sticky-list\");\n\n            if (!target || !header) return;\n\n            const headerHeight = header.getBoundingClientRect().height;\n            const targetHeight = targetListStatic.getBoundingClientRect().height;\n\n            \/\/ -headerHeight so it won't be jumpy\n            const stop = targetListStatic.offsetTop + headerHeight + targetHeight;\n            const docBody =\n                document.documentElement || document.body.parentNode || document.body;\n            const hasOffset = window.pageYOffset !== undefined;\n\n            const applySticky = function () {\n                \/\/ cross-browser compatible scrollTop.\n                const scrollTop = hasOffset ? window.pageYOffset : docBody.scrollTop;\n\n                \/\/ if user scrolls to headerHeight from the top of the target div\n                if (scrollTop >= stop) {\n                    pageLegendCollapse.hide();\n                    \/\/ stick the div\n                    target.classList.add(\"sticky\");\n                    \/\/target.style.marginTop = `${headerHeight}px`;\n                } else {\n                    pageLegendCollapse.show();\n                    \/\/ release the div\n                    target.classList.remove(\"sticky\");\n                    target.style.marginTop = \"\";\n                }\n            }\n\n            applySticky();\n\n            window.addEventListener('scroll', applySticky);\n        })(header, pageLegendCollapse);\n\tjQuery('span.show_moretoc').click(function(){\n\t\tjQuery('span.show_moretoc').hide();\n\t   jQuery('.ms_hidetoc').show();\n\t});\n    });\n\n    \/\/ When the user clicks on the button, scroll to the top of the document\n    function btnTop() {\n        const pageLegend = document.querySelector('#multiCollapse1');\n        document.querySelector('html').classList.remove('overflow-hidden');\n        pageLegend.classList.remove('overflow-auto');\n        pageLegend.style.height = 'auto';\n        window.scrollTo({\n            top: 0,\n            behavior: 'smooth'\n        });\n    }\n\n    const handleScrollToTitle = (id) => {\n        const el = document.getElementById(id);\n        const headerHeightDifference = window.innerWidth < 992 ? -30 : -15;\n        window.scrollTo({\n            top: el.offsetTop - 60 - headerHeightDifference - 10,\n        });\n    }\n<\/script>\n\n<h2><span id=\"stats_of_github_actions_beyond_expectations\">Stats of GitHub Actions &#8216;Beyond Expectations&#8217;<\/span><\/h2>\n<p>In their investigation Legit Security also uncovered interpolation of untrusted input in more than <strong>7,000 workflows<\/strong>, execution of <strong>untrusted code in over 2,500 workflows<\/strong>, and use of <strong>untrustworthy artifacts in 3,000-plus workflows<\/strong>.<\/p>\n<p>Of the 19,113 custom GitHub Actions, only <strong>913 were created by verified GitHub users<\/strong>; <strong>18% had vulnerable dependencies<\/strong>; <strong>762 are archived and do not receive regular updates<\/strong>, the <strong>average OSSF security score was 4.23 out of 10<\/strong>, and most repositories are maintained by a single developer.<\/p>\n<p>Techopedia spoke to <strong>Legit Security&#8217;s<\/strong> <a href=\"https:\/\/il.linkedin.com\/in\/roy-blit-6979509a\" target=\"_blank\"><strong>Roy Blit<\/strong><\/a>, who spoke about the surprising takeaways of the GitHub report.<\/p>\n<blockquote><p>&#8220;We knew that we&#8217;re probably going to find a lot of cases of insecure workflows and Actions, but we didn&#8217;t expect this to be so prevalent. The statistics we found were beyond expectations.&#8221;<\/p><\/blockquote>\n<h2><span id=\"github_resources_integrity_history_overshadowed\">GitHub Resources&#8217; Integrity History Overshadowed<\/span><\/h2>\n<p>Reports that question GitHub&#8217;s resources&#8217; integrity are nothing new. To cite just a couple of examples, Bitdefender reported in 2022 that <a href=\"https:\/\/www.bitdefender.com\/blog\/hotforsecurity\/thousands-of-poc-exploits-on-github-are-laced-with-malware-study-shows\/\" target=\"_blank\">thousands of PoC exploits on GitHub were laced with malware<\/a>, and in 2023 Aqua Nautilus found that <a href=\"https:\/\/www.aquasec.com\/blog\/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking\/\" target=\"_blank\">millions of GitHub repositories<\/a> were potentially vulnerable to &#8216;RepoJacking&#8217;.<\/p>\n<p>Blit from Legit Security discussed this historic GitHub trend and why their recent report is unique. <strong>\u00a0<\/strong><\/p>\n<p>&#8220;Indeed, GitHub has been under security research for quite some time. However, this research is focused specifically on GitHub Actions \u2014 the CI\/CD [<a href=\"https:\/\/www.techopedia.com\/definition\/24368\/continuous-integration-ci\">continuous integration<\/a> and <a href=\"https:\/\/www.techopedia.com\/definition\/28958\/continuous-delivery-cd\">continuous deployment<\/a>] service offered by GitHub,&#8221; Blit said.<\/p>\n<p>&#8220;We&#8217;ve conducted a thorough investigation of different aspects of GitHub Actions, which hasn&#8217;t been done before to this extent, and it is important to educate the open source community on this matter to prevent attackers from taking over the CI\/CD pipelines of critical projects.&#8221;<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/vaibhavmalik1\/\" target=\"_blank\"><strong>Vaibhav Malik<\/strong><\/a><strong>, Global Partner Solutions Architect Leader at <\/strong><a href=\"https:\/\/www.cloudflare.com\/\" target=\"_blank\"><strong>Cloudflare<\/strong><\/a>, expressed shock at the extent of the findings of this new report to Techopedia:<\/p>\n<p>&#8220;One of the most shocking findings is the sheer scale of potential vulnerabilities. The research uncovered interpolation of untrusted input in over 7,000 workflows and execution of untrusted code in over 2,500 workflows.&#8221;<\/p>\n<p>&#8220;Given GitHub&#8217;s widespread use among developers and major companies, the potential impact of these vulnerabilities is concerning,&#8221; Malik said.<\/p>\n<p>&#8220;Additionally, it is alarming that <strong>98% of references used by jobs and steps don&#8217;t follow best practices for dependency pinning<\/strong>. This leaves many workflows potentially exposed to unexpected changes or updates.&#8221;<\/p>\n<p>Malik explained that the findings are particularly relevant because they highlight vulnerabilities in GitHub Actions, which have become critical to many organizations&#8217; development and deployment pipelines.<\/p>\n<blockquote><p>&#8220;Unlike previous security concerns that may have focused on repository access or code integrity, these vulnerabilities could allow attackers to manipulate the automated processes that build, test, and deploy code.&#8221;<\/p><\/blockquote>\n<h2><span id=\"alternatives_for_developers_looking_to_play_pro_and_safe\">Alternatives for Developers Looking to Play Pro and Safe<\/span><\/h2>\n<p>While GitHub remains a major player, there are other options for code hosting and collaboration. Those not-so-die-hard GitHub fans may be thinking, for example, moving on to cloud-based options like AWS CodeCommit, Azure DevOps Server (for Microsoft environments) or trying out other platforms like <a href=\"https:\/\/bitbucket.org\/\" target=\"_blank\">Bitbucket<\/a>, or <a href=\"https:\/\/about.gitlab.com\/\" target=\"_blank\">GitLab<\/a>, a strong competitor with similar features.<\/p>\n<p>But Blit from Legit Security says developers and companies might need to consider other factors.<\/p>\n<blockquote><p>&#8220;Most of the risks presented in this research are actually relevant to almost all CI\/CD services out there. For example, pinning dependencies to a specific version (to prevent it from being changed without the developer&#8217;s knowledge) is important, no matter which CI service you&#8217;re using. Developers just need to keep in mind to work according to best practices and avoid the security pitfalls presented in the report.&#8221;<\/p><\/blockquote>\n<p>Malik from Cloudflare told Techopedia that based on the research findings, developers should consider the following actions:<\/p>\n<ul>\n<li>Implement stricter security practices when writing GitHub Actions workflows, especially regarding the handling of secrets and prevention of code injection.<\/li>\n<li>Be more cautious when using third-party Actions from the marketplace. Prioritize Actions from verified creators and those with higher security scores.<\/li>\n<li>Utilize GitHub&#8217;s built-in features for controlling GitHub Actions behavior to enforce best practices.<\/li>\n<\/ul>\n<p>Awareness of the state of GitHub resources and knowing the risks associated with GitHub Actions, as well as integrating additional security tools, is also a good idea moving forward. Malik spoke about those looking for new platforms.<\/p>\n<blockquote><p>&#8220;For alternatives, developers might consider other CI\/CD platforms with potentially stronger security features, or look into self-hosted runners and custom action implementations that allow for tighter control over the execution environment. However, any alternative should be carefully evaluated for its own potential security implications.&#8221;<\/p><\/blockquote>\n<h2><span id=\"the_bottom_line\">The Bottom Line<\/span><\/h2>\n<p>The report from Legit Security is a wake-up call for developers and organizations relying on GitHub Actions. The convenience of these automated tools comes with a security risk, especially considering the prevalence of unmaintained actions and insecure coding practices.<\/p>\n<p>This doesn&#8217;t mean abandoning GitHub altogether. However, it&#8217;s crucial to prioritize security when using Actions, and the recommendations from both Blit and Malik offer a clear roadmap: stricter security practices, responsible third-party action selection, and leveraging built-in security features.<\/p>\n<p>For those seeking the tightest control, exploring alternative CI\/CD platforms or self-hosted solutions might be an option. But remember, security is a constant battle anywhere you go.\u00a0 Ultimately, a combination of awareness, best practices, and potentially additional security tools is what will keep your development pipelines safe.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitHub, the open-source developers&#8217; paradise, is no longer what it used to be. After years of increasing calls that attackers are leveraging the platform to distribute and sneak in malware, a new report reached a shocking conclusion. The Legit Security report found that most GitHub Actions are not created by verified users, are not maintained, [&hellip;]<\/p>\n","protected":false},"author":286688,"featured_media":286910,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_lmt_disableupdate":"","_lmt_disable":"","om_disable_all_campaigns":false,"footnotes":""},"categories":[585],"tags":[],"category_partsoff":[],"class_list":["post-286899","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-threats"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.2 (Yoast SEO v24.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Is GitHub Dying a Slow Death? - Techopedia<\/title>\n<meta name=\"description\" content=\"Learn why GitHub Actions pose a risk to companies and developers everywhere as experts break down a new shocking report.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Is GitHub Dying a Slow Death?\" \/>\n<meta property=\"og:description\" content=\"Learn why GitHub Actions pose a risk to companies and developers everywhere as experts break down a new shocking report.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death\" \/>\n<meta property=\"og:site_name\" content=\"Techopedia\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/techopedia\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-28T11:00:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"686\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ray Fernandez\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techopedia\" \/>\n<meta name=\"twitter:site\" content=\"@techopedia\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ray Fernandez\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death\"},\"author\":{\"name\":\"Ray Fernandez\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c\"},\"headline\":\"Is GitHub Dying a Slow Death?\",\"datePublished\":\"2024-07-28T11:00:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death\"},\"wordCount\":1162,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg\",\"articleSection\":\"\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#respond\"]}],\"copyrightYear\":\"2024\",\"copyrightHolder\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death\",\"url\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death\",\"name\":\"Is GitHub Dying a Slow Death? - Techopedia\",\"isPartOf\":{\"@id\":\"https:\/\/www.techopedia.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg\",\"datePublished\":\"2024-07-28T11:00:46+00:00\",\"description\":\"Learn why GitHub Actions pose a risk to companies and developers everywhere as experts break down a new shocking report.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg\",\"width\":1200,\"height\":686,\"caption\":\"Is Github Dying\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.techopedia.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\/\/www.techopedia.com\/topic\/4\/cybersecurity\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threats\",\"item\":\"https:\/\/www.techopedia.com\/topic\/220\/cyber-threats\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Is GitHub Dying a Slow Death?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.techopedia.com\/#website\",\"url\":\"https:\/\/www.techopedia.com\/\",\"name\":\"Techopedia\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.techopedia.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.techopedia.com\/#organization\",\"name\":\"Techopedia\",\"url\":\"https:\/\/www.techopedia.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg\",\"caption\":\"Techopedia\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/techopedia\/\",\"https:\/\/x.com\/techopedia\",\"https:\/\/www.linkedin.com\/company\/techopedia\/\",\"https:\/\/www.youtube.com\/c\/Techopedia\"],\"publishingPrinciples\":\"https:\/\/www.techopedia.com\/about\/editorial-policy\",\"ownershipFundingInfo\":\"https:\/\/www.techopedia.com\/about\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c\",\"name\":\"Ray Fernandez\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg\",\"caption\":\"Ray Fernandez\"},\"description\":\"Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/ray-fernandez\/\"],\"knowsAbout\":[\"Senior Technology Journalist\"],\"url\":\"https:\/\/www.techopedia.com\/contributors\/rayfernandez\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Is GitHub Dying a Slow Death? - Techopedia","description":"Learn why GitHub Actions pose a risk to companies and developers everywhere as experts break down a new shocking report.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Is GitHub Dying a Slow Death?","og_description":"Learn why GitHub Actions pose a risk to companies and developers everywhere as experts break down a new shocking report.","og_url":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death","og_site_name":"Techopedia","article_publisher":"https:\/\/www.facebook.com\/techopedia\/","article_published_time":"2024-07-28T11:00:46+00:00","og_image":[{"width":1200,"height":686,"url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg","type":"image\/jpeg"}],"author":"Ray Fernandez","twitter_card":"summary_large_image","twitter_creator":"@techopedia","twitter_site":"@techopedia","twitter_misc":{"Written by":"Ray Fernandez","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#article","isPartOf":{"@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death"},"author":{"name":"Ray Fernandez","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c"},"headline":"Is GitHub Dying a Slow Death?","datePublished":"2024-07-28T11:00:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death"},"wordCount":1162,"commentCount":0,"publisher":{"@id":"https:\/\/www.techopedia.com\/#organization"},"image":{"@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage"},"thumbnailUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg","articleSection":"","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#respond"]}],"copyrightYear":"2024","copyrightHolder":{"@id":"https:\/\/www.techopedia.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death","url":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death","name":"Is GitHub Dying a Slow Death? - Techopedia","isPartOf":{"@id":"https:\/\/www.techopedia.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage"},"image":{"@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage"},"thumbnailUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg","datePublished":"2024-07-28T11:00:46+00:00","description":"Learn why GitHub Actions pose a risk to companies and developers everywhere as experts break down a new shocking report.","breadcrumb":{"@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.techopedia.com\/is-github-dying-a-slow-death"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#primaryimage","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2024\/07\/Is-Github-Dying.jpg","width":1200,"height":686,"caption":"Is Github Dying"},{"@type":"BreadcrumbList","@id":"https:\/\/www.techopedia.com\/is-github-dying-a-slow-death#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.techopedia.com\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.techopedia.com\/topic\/4\/cybersecurity"},{"@type":"ListItem","position":3,"name":"Cyber Threats","item":"https:\/\/www.techopedia.com\/topic\/220\/cyber-threats"},{"@type":"ListItem","position":4,"name":"Is GitHub Dying a Slow Death?"}]},{"@type":"WebSite","@id":"https:\/\/www.techopedia.com\/#website","url":"https:\/\/www.techopedia.com\/","name":"Techopedia","description":"","publisher":{"@id":"https:\/\/www.techopedia.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.techopedia.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.techopedia.com\/#organization","name":"Techopedia","url":"https:\/\/www.techopedia.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2025\/02\/techopedia-light-logo.svg","caption":"Techopedia"},"image":{"@id":"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/techopedia\/","https:\/\/x.com\/techopedia","https:\/\/www.linkedin.com\/company\/techopedia\/","https:\/\/www.youtube.com\/c\/Techopedia"],"publishingPrinciples":"https:\/\/www.techopedia.com\/about\/editorial-policy","ownershipFundingInfo":"https:\/\/www.techopedia.com\/about"},{"@type":"Person","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/687890072e5e44867899acd7d6176e6c","name":"Ray Fernandez","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/image\/","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/10\/avatar_user_286688_1698354675-300x300.jpg","caption":"Ray Fernandez"},"description":"Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.","sameAs":["https:\/\/www.linkedin.com\/in\/ray-fernandez\/"],"knowsAbout":["Senior Technology Journalist"],"url":"https:\/\/www.techopedia.com\/contributors\/rayfernandez"}]}},"modified_by":"vukstojkovic","_links":{"self":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts\/286899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/users\/286688"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/comments?post=286899"}],"version-history":[{"count":0,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts\/286899\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/media\/286910"}],"wp:attachment":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/media?parent=286899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/categories?post=286899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/tags?post=286899"},{"taxonomy":"category_partsoff","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/category_partsoff?post=286899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}