OMAR
Github Actions is increasingly becoming a popular tool for organizations to run CI and other automation tasks, and understandably so: they’re easy to use, composable, and have tons of available integrations. Like with any technology though, they come with security risks and concerns that can be easily overlooked.
Instead of dissecting common Github Actions vulnerabilities, we’ll talk about what makes them the perfect target for static analysis. We’ll talk about the principles behind great static analysis tools, then demonstrate these principles using the tool we wrote specifically to find vulnerabilities in Github Actions.