Yusuke Kubo (NTT DOCOMO BUSINESS, Inc. / Waseda University), Fumihiro Kanei (NTT DOCOMO BUSINESS, Inc.), Mitsuaki Akiyama (NTT, Inc.), Takuro Wakai (Waseda University), Tatsuya Mori (Waseda University / NICT / RIKEN AIP)

GitHub Actions has become a dominant Continuous Integration/Continuous Delivery (CI/CD) platform, yet recent supply chain attacks like SolarWinds and tj-actions/changed-files highlight critical security vulnerabilities in such systems. While GitHub provides official security practices to mitigate these risks, the extent of their real-world implementation remains unknown. We present a mixed-methods study analyzing 338,812 public repositories and surveying over 100 developers to understand security practice implementation in GitHub Actions. Our findings reveal alarmingly low implementation rates across five key security practices, ranging from 0.6% to 52.9%. We identify three primary barriers: lack of awareness (up to 71.6% of non-adopters were unaware of practices), misconceptions about applicability, and concerns about operational costs. Repository characteristics such as organization ownership and recent development activity significantly correlate with better security practice implementation. Based on these empirical insights, we derive actionable recommendations that align intervention strategies with appropriate levels of automation, improve notification design to support awareness, strengthen platform- and IDE-level assistance, and clarify documentation on risks and applicability.

View More Papers

Lightening the Load: A Cluster-Based Framework for A Lower-Overhead,...

Khashayar Khajavi (Simon Fraser University), Tao Wang (Simon Fraser University)

Read More

Kick Bad Guys Out! Conditionally Activated Anomaly Detection in...

Shanshan Han (University of California, Irvine), Wenxuan Wu (Texas A&M University), Baturalp Buyukates (University of Birmingham), Weizhao Jin (University of Southern California), Qifan Zhang (Palo Alto Networks), Yuhang Yao (Carnegie Mellon University), Salman Avestimehr (University of Southern California)

Read More

SoK: Understanding the Fundamentals and Implications of Sensor Out-of-band...

Shilin Xiao (Zhejiang University), Wenjun Zhu (Zhejiang University), Yan Jiang (Zhejiang University), Kai Wang (Zhejiang University), Peiwang Wang (Zhejiang University), Chen Yan (Zhejiang University), Xiaoyu Ji (Zhejiang University), Wenyuan Xu (Zhejiang University)

Read More