The report identified more than 7,000 workflows with interpolation of untrusted input, over 2,500 executing untrusted code, and 3,000+ using untrustworthy artifacts. Only 913 out of 19,113 custom GitHub Actions were created by verified users, with 18% having vulnerable dependencies.
98% of job references lacked dependency pinning, and 86% of workflows did not restrict token permissions. DevOps teams need to address risky dependencies and excessive access privileges in workflows to prevent exploitation.
Collection
[
|
...
]