Ensure only verified GitHub actions in-use
Make sure GitHub Marketplace verifies the creators by only using verified actions. By doing so, malicious actors will be prevented from running their actions.
Risk Level: medium
Platform: Github
Spectral Rule ID: GH-HRD017
REMEDIATION
Change Github action to verified-only actions.
SaaS:
In the organization setting in the Github site:
- Go to 'Actions'.
- Go to 'General actions permissions'.
- Select 'Allow
ORGANIZATION
and selectnon-ORGANIZATION
, actions and reusable workflows'. - Click 'Allow actions by Marketplace verified creators' (should be marked).
Read more:
Updated 26 days ago