GitHub Actions
by GitHub, Inc. (Microsoft)
CI/CD platform for automating build, test, and deployment workflows with native GitHub integration
Authoritative Sources
Key guidance documents from authoritative organizations. Click to view the original source.
Strategies for integrating software supply chain security in CI/CD pipelines. Covers build integrity, artifact signing, and provenance.
Configuration Examples(1)
PO.3.1: "Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks." PS.1.1: "Store all forms of code in a code repository that provides version control." PW.4.1: "Acquire and maintain well-secured software components from commercial, open source, and other third-party developers." GitHub Actions implements SSDF through automated security workflows.
Configuration Examples(2)
NIST SP 800-161r1 §2.2: "Cybersecurity risks throughout the supply chain refer to the potential for harm or compromise that arises from cybersecurity risks posed by suppliers, their supply chains, their products, or their services." §3.4: "Enterprises should examine and validate software development processes, including configuration management processes, building on the SSDF." GitHub Actions workflows represent critical supply chain attack surfaces requiring C-SCRM controls.
Configuration Examples(2)
Official security best practices for Actions workflows. Covers secrets management, permissions, third-party actions vetting, script injection prevention, and OpenID Connect authentication.
Configuration Examples(11)
Common CI/CD security risks. GitHub Actions mitigations for poisoned pipeline execution, credential theft, and dependency confusion.
Configuration Examples(1)
SOC 2 CC8.1: "The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives." GitHub Actions workflows automate the authorization, testing, and approval of changes through required status checks and branch protection rules, directly implementing CC8.1 change management controls. Source: AICPA Trust Services Criteria.
ISO 27001:2022 A.8.25: "Rules for the secure development of software and systems shall be established and applied to developments within the organisation." GitHub Actions enables enforcement of secure development practices through automated security scanning, dependency review, and quality gates in CI/CD pipelines. Source: ISO/IEC 27001:2022 Annex A.
ISO 27001:2022 A.8.31: "Development, testing and production environments shall be separated and secured." GitHub Actions environments feature supports separation of deployment stages with environment protection rules, required reviewers, and deployment branches, implementing A.8.31 environment segregation requirements. Source: ISO/IEC 27001:2022 Annex A.
Verification Commands
Commands and queries for testing and verifying security configurations.
gh api repos/{owner}/{repo}/actions/secrets --jq ".secrets[].name"gh api repos/{owner}/{repo}/actions/permissions --jq ".default_workflow_permissions"gh run list --limit 10gh api repos/{owner}/{repo}/contents/.github/workflows --jq ".[].name"gh api repos/{owner}/{repo}/branches/main/protectiongh api repos/{owner}/{repo}/actions/runners --jq ".runners[].name"gh api repos/{owner}/{repo}/actions/permissions/workflow --jq "."gh api repos/{owner}/{repo}/dependabot/alerts --jq ".[].security_advisory.summary"gh api repos/{owner}/{repo}/actions/permissions/selected-actionsRelated Controls
Security controls from various frameworks that relate to GitHub Actions.