Confirmed users
13
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 09:06, 19 May 2025
, 19 Mayadd instructions to review all code run as part of the workflow
(use 5th level heading) |
m (add instructions to review all code run as part of the workflow) |
||
| Line 10: | Line 10: | ||
# Protect all workflows by requiring code reviews from folks who have familiarized themselves with the security issues of workflows. | # Protect all workflows by requiring code reviews from folks who have familiarized themselves with the security issues of workflows. | ||
# Perform a code review for any additional scripts that you run in the workflows, not only the commands which are directly included in the workflow file. Look for any commands vulnerable to code injection | |||
# Use scanning to detect problems and lack of best practices. | # Use scanning to detect problems and lack of best practices. | ||
# Treat GitHub actions as you would any 3rd party library shipped with your product. | # Treat GitHub actions as you would any 3rd party library shipped with your product. | ||