Ensure only verified GitHub actions in-use

Make sure GitHub Marketplace verifies the creators by only using verified actions. By doing so, malicious actors will be prevented from running their actions.

Suggest Edits

Risk Level: medium
Platform: Github
Spectral Rule ID: GH-HRD017

REMEDIATION

Change Github action to verified-only actions.

SaaS:

In the organization setting in the Github site:

Go to 'Actions'.
Go to 'General actions permissions'.
Select 'Allow and select , actions and reusable workflows'.
Click 'Allow actions by Marketplace verified creators' (should be marked).

https://docs.github.com/en/github-ae@latest/rest/actions/permissions

Updated about 1 year ago

REMEDIATION

Read more: