Action Required: A Mixed-Methods Study of Security Practices in GitHub Actions
Yusuke Kubo
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Applied Cryptography
**GitHub Actions** has become the mainstream CI/CD platform for modern software development, and its popularity makes it a highly attractive target for attackers. The 2025 compromise of **TJ Actions** and the **SRT campaign** hack of the NX package demonstrated the real-world consequences of insecure CI/CD pipelines. While GitHub provides security guidelines recommending **16 security practices**, this talk presents the first large-scale study investigating how well developers actually implement them. Analyzing over **338,000 public repositories** and surveying **102 developers**, the researchers found that security practices are **largely unimplemented** -- security features and tools (P1, P3, P5) are used in only **0.6% to 10.7%** of applicable repositories. The primary barriers are **lack of awareness** (21-72% of developers), **maintenance overhead concerns**, and **developer misconceptions** about what the practices do and who they apply to.
AI review
A measurement and survey study of GitHub Actions security practice adoption, finding that practices are rarely implemented due to awareness gaps, maintenance overhead, and misconceptions. The data is solid but the findings are unsurprising, and the talk offers no offensive techniques or novel security insights.