{"id":56019,"date":"2026-06-26T07:00:03","date_gmt":"2026-06-26T11:00:03","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=56019"},"modified":"2026-06-26T07:00:03","modified_gmt":"2026-06-26T11:00:03","slug":"github-actions-security-research","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/github-actions-security-research\/56019\/","title":{"rendered":"Potential Threat: misconfigurations in GitHub Actions"},"content":{"rendered":"

Stories about supply chain attacks appear<\/a> in the news with alarming regularity. In most cases they begin when attackers compromise publicly available packages. This may give the impression that the main danger of public repositories lies in the fact that someone could steal a developer\u2019s credentials and inject malicious code into the software they create. However, in reality, this isn\u2019t the only thing to be wary of when working with repositories hosting open-source projects. Misconfigurations of key components can also be a source of problems.<\/p>\n

In particular, GitHub Actions<\/a> \u2014 automation scripts that enable the creation of continuous integration and continuous delivery (CI\/CD) pipelines \u2014 can pose a risk. Errors and misconfigurations in these scripts are periodically exploited by attackers in real-world attacks. A prime example is the recent Mini Shai-Hulud<\/a> malware campaign. While it also began with the compromise of a popular project\u2019s maintainer, the malware distributed during this campaign stole secrets specifically by exploiting a flaw in GitHub Actions.<\/p>\n

Using a new set of rules for Kaspersky Container Security<\/a>, our experts from the Global Research and Analysis Team (GReAT) conducted a security analysis of GitHub Actions across ~30,000 popular GitHub repositories. In short, automation pipelines in only 10% of these repositories raised no concerns.<\/p>\n

Detailed research results<\/h2>\n

In total, the rules implemented as part of the latest KCS release were used to scan ~130,000 pipelines. They identified more than 250,000 potential deviations from recommendations for secure CI\/CD configuration. Of course, these deviations cannot be considered vulnerabilities in and of themselves, but they do indicate areas where the configuration may require additional review and more careful tuning.<\/p>\n

Of these 250,000+ deviations, 59.8% can be classified as low risk, and 39.8% \u2014 medium risk. However, in 0.4% of cases, more serious misconfigurations were found, which our technologies classified as high risk. Furthermore, critical flaws found in eight repositories could potentially lead to supply chain compromise. The affected repositories covered a wide range of use cases \u2014 including AI integration in enterprise environments, services for developers and automation, and as well as security testing tools. Of course, our experts reported these critical issues to the maintainers of the relevant repositories.<\/p>\n

Here are the most common flaws found in the GitHub Actions we reviewed:<\/p>\n