{"id":2364,"date":"2022-02-02T14:07:49","date_gmt":"2022-02-02T14:07:49","guid":{"rendered":"https:\/\/gitprotect.io\/blog\/?p=2364"},"modified":"2025-03-07T11:04:10","modified_gmt":"2025-03-07T11:04:10","slug":"github-actions-how-to-use-it-for-security-and-compliance-needs","status":"publish","type":"post","link":"https:\/\/gitprotect.io\/blog\/github-actions-how-to-use-it-for-security-and-compliance-needs\/","title":{"rendered":"GitHub Actions – How to Use It for Security and Compliance Needs"},"content":{"rendered":"\n

First of all, let\u2019s clarify what GitHub Actions actually is and what it has to do with security and compliance. In short, it is a feature used for workflow automation. It is a continuous integration and continuous delivery<\/a> platform that allows you to automate your build, test, and deployment pipeline. Like any tool of this type, it permits you to run Actions triggered by a change in the repository, for example, a merged pull request.<\/p>\n\n\n\n\n\n\n\n

However, that\u2019s not all and the possibilities are much greater here. GitHub Actions can trigger a specific workflow based on other events too. For example, every new issue can automatically add the appropriate labels. Now, let\u2019s check out something related to the subject of compliance, such as GitHub Membership Audit Action. It is a ready-made action available in the Marketplace that allows you to audit which users have access to which repository and what permissions they have in it. Of course, we can also trigger such Actions manually, although automation is their main advantage.<\/p>\n\n\n\n\n\n

GitHub Actions workflow explained<\/h2>\n\n\n\n

Let\u2019s go over how it works before we move on. As I mentioned before, the basic idea is that we define an action, which is then triggered automatically based on some event in our repository. When defining our workflow, we can run one or multiple jobs and, most importantly, we can run them in sequence or in parallel. Now, let\u2019s jump into the details. <\/p>\n\n\n\n

Each job contains one or more steps to be performed. In addition, everyone is run inside a container or their own virtual machine, the so-called runner, which is quite important from a security perspective as it allows for the isolation of operations. GitHub provides Ubuntu, Windows, or macOS runners, but you can host your own runner anytime you want to. All steps of a given job are either an executable shell script or an action, which is a custom application that performs a frequently repeated task.<\/p>\n\n\n\n

The whole concept of GitHub Actions can be illustrated by the following graphic:<\/p>\n\n\n

\n
\"GitHub
Source: GitHub<\/a><\/figcaption><\/figure><\/div>\n\n\n

Risks and security<\/h2>\n\n\n\n

Next in line, we have risks and security in terms of GitHub Actions<\/a>. As with any tool or platform, it is necessary to keep it secured. Secrets shall never be stored just as plain text in your workflow files, and scripts that are implemented shall always be verified, also make sure to have multiple code owners – the list goes on, but you get the picture. The number of incidents that affected GitHub users throughout 2023 grew by over 20% when comparing it to 2024, as outlined by the The State of DevOps Threats Report<\/a>. These statistics suggest it is a good idea to improve security practices.<\/p>\n\n\n\n

Compliance and Auditing<\/h3>\n\n\n\n

For several reasons, companies take measures to increase the level of security and then verify it regularly. In addition, certain standards are introduced and audits are carried out, both by internal and external companies. In many companies, such audits are enforced by law or agreements with clients. This is a very serious topic, going beyond the usual common-sense care for your own safety.<\/p>\n\n\n\n

So, why is compliance crucial for today\u2019s software development? Well, there are a couple of reasons: <\/p>\n\n\n\n