GitHub Actions Score

PreviousReusable Workflows NextStepSecurity Maintained Actions

Last updated 2 months ago

Was this helpful?

GitHub Actions Score

This page helps you assess the security score of any GitHub Action used in your workflows.

Note: GitHub Actions security scores are graded by OpenSSF ScoreCard

How to Check an Actions Security Score

Navigate to the Actions section and select GitHub Actions Score
Enter the name of an action (e.g., google-github-actions/auth) to view its security score.

This will open the GitHub Actions Advisor, which provides a breakdown of the GitHub Actions security score

The following details are displayed for each Action:

Security Score Details

Remarks

Score

The actions security score. The highest rating is 10.

License

Verifies the presence of a published license in standard locations. A clear license is crucial for security reviews, audits, and mitigating legal risks for users.

Maintained

Project activity is assessed based on recent commits and issue engagement. Active maintenance is crucial for ongoing security and functionality.

Vulnerabilities

Dependencies are monitored for vulnerabilities and updated periodically to address identified issues promptly.

Branch protection

Checks if default and release branches are protected using GitHub’s branch protection or repository rules. Ensures defined workflows, such as required reviews or status checks, are enforced before merging.

Manual code review

Verifies that code changes are reviewed by at least one person other than the author. This practice enhances code quality and security through additional oversight.

Secure publishinng

Verifies that secure deployment practices are in place, including deployment review, reproducible builds, and generation of SBOM and provenance.

Signed commits

All code contributions are made with signed commits, enforced through branch protection to ensure code authenticity and integrity.

Automated security tools

Verifies the use of automated tools like SAST, SCA, and security scorecards on each change and periodically. Checks if responses are triaged promptly to maintain security standards.

Popular

Checks if the action is widely used by other open source projects. Higher usage can indicate community trust and more thorough vetting.

Security policy

Verifies the presence of a SECURITY.md file in standard locations. This policy provides secure reporting methods, ensuring responsible disclosure.

Scroll down in the GitHub Actions Advisor to see all outbound network calls made by the action.

PreviousReusable Workflows NextStepSecurity Maintained Actions

Last updated 2 months ago

Was this helpful?

This page helps you assess the security score of any GitHub Action used in your workflows.

Note: GitHub Actions security scores are graded by OpenSSF ScoreCard

How to Check an Actions Security Score

Navigate to the Actions section and select GitHub Actions Score
Enter the name of an action (e.g., google-github-actions/auth) to view its security score.

This will open the GitHub Actions Advisor, which provides a breakdown of the GitHub Actions security score

The following details are displayed for each Action:

Security Score Details

Remarks

Score

The actions security score. The highest rating is 10.

License

Verifies the presence of a published license in standard locations. A clear license is crucial for security reviews, audits, and mitigating legal risks for users.

Maintained

Project activity is assessed based on recent commits and issue engagement. Active maintenance is crucial for ongoing security and functionality.

Vulnerabilities

Dependencies are monitored for vulnerabilities and updated periodically to address identified issues promptly.

Branch protection

Manual code review

Verifies that code changes are reviewed by at least one person other than the author. This practice enhances code quality and security through additional oversight.

Secure publishinng

Verifies that secure deployment practices are in place, including deployment review, reproducible builds, and generation of SBOM and provenance.

Signed commits

All code contributions are made with signed commits, enforced through branch protection to ensure code authenticity and integrity.

Automated security tools

Verifies the use of automated tools like SAST, SCA, and security scorecards on each change and periodically. Checks if responses are triaged promptly to maintain security standards.

Popular

Checks if the action is widely used by other open source projects. Higher usage can indicate community trust and more thorough vetting.

Security policy

Verifies the presence of a SECURITY.md file in standard locations. This policy provides secure reporting methods, ensuring responsible disclosure.

Scroll down in the GitHub Actions Advisor to see all outbound network calls made by the action.