GitHub Actions Security Risk: The Mutable Tag Vulnerability
2025-03-25
A recent attack on the tj-actions/changed-files GitHub Action highlighted a security vulnerability. By modifying a mutable Git tag, attackers could inject malicious code and leak secrets from build logs, which are public for public repositories. The author shares a shell script to audit used GitHub Actions, emphasizing the importance of using immutable commit IDs for security. The script analyzes workflow YAML files to identify and count actions, prioritizing those from large organizations or self-written scripts over less trustworthy ones. The author advocates for prioritizing actions from large organizations and writing custom scripts when possible.
Read more
Development