Hunting for GitHub Actions bugs with zizmor

Much of the world's open source lives on GitHub, and uses GitHub Actions to provide tasks ranging from routine testing to critical build and release processes. As such, the security of GitHub Actions (and the workflows and actions that users develop and consume) is paramount to the security of the world's software.

But how secure is GitHub Actions, really? This talk will introduce GitHub Actions' internal building blocks and (mostly implicit) security model, and provide real world examples of security failures and surprising avenues of exploitation that recur in widely used actions and workflows. These examples will be motivated via zizmor, a Rust-based static analysis tool for GitHub Actions that can catch many of the most common (and severe) footguns that occur when writing workflows.

Attendees will leave knowing more about GitHub Actions security and best practices for writing secure workflows, as well as how to use zizmor both locally and in CI to detect potential security issues. No prior familiarity with GitHub Actions is necessary.