{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,3]],"date-time":"2026-07-03T22:17:14Z","timestamp":1783117034725,"version":"3.54.6"},"publisher-location":"Cham","reference-count":39,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032120885","type":"print"},{"value":"9783032120892","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,11,20]],"date-time":"2025-11-20T00:00:00Z","timestamp":1763596800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,11,20]],"date-time":"2025-11-20T00:00:00Z","timestamp":1763596800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-12089-2_14","type":"book-chapter","created":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T04:14:53Z","timestamp":1763525693000},"page":"220-236","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Pipelines Under Pressure: An Empirical Study of\u00a0Security Misconfigurations of\u00a0GitHub Workflows"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-5649-3412","authenticated-orcid":false,"given":"Edoardo","family":"Riggio","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2748-9665","authenticated-orcid":false,"given":"Cesare","family":"Pautasso","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,11,20]]},"reference":[{"issue":"5","key":"14_CR1","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1109\/MS.2017.3571578","volume":"34","author":"K Carter","year":"2017","unstructured":"Carter, K.: Francois Raynaud on DevSecOps. IEEE Softw. 34(5), 93\u201396 (2017)","journal-title":"IEEE Softw."},{"key":"14_CR2","unstructured":"Humble, J., Farley, D.: Continuous delivery: reliable software releases through build, test, and deployment automation. Pearson (2010)"},{"key":"14_CR3","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2021.106700","volume":"141","author":"RN Rajapakse","year":"2022","unstructured":"Rajapakse, R.N., Zahedi, M., Babar, M.A., Shen, H.: Challenges and solutions when adopting DevSecOps: a systematic review. Inf. Softw. Technol. 141, 106700 (2022)","journal-title":"Inf. Softw. Technol."},{"key":"14_CR4","doi-asserted-by":"crossref","unstructured":"Vassallo, C., Proksch, S., Jancso, A., Gall, H.C., Di\u00a0Penta, M.: Configuration smells in continuous delivery pipelines: a linter and a six-month study on GitLab. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE), pp. 327\u2013337. ACM (2020)","DOI":"10.1145\/3368089.3409709"},{"key":"14_CR5","unstructured":"Hsu, T.H.-C.: Hands-On Security in DevOps: Ensure Continuous Security, Deployment, and Delivery with DevSecOps. Packt Publishing Ltd. (2018)"},{"key":"14_CR6","doi-asserted-by":"crossref","unstructured":"Delicheh, H.O., Mens, T.: Mitigating security issues in github actions. In: Proceedings of the 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2nd International Workshop on Software Vulnerability (SVM), pp. 6\u201311. ACM\/IEEE (2024)","DOI":"10.1145\/3643662.3643961"},{"key":"14_CR7","unstructured":"Segura, T.: GitHub Actions Security Best Practices. https:\/\/blog.gitguardian.com\/github-actions-security-cheat-sheet\/"},{"key":"14_CR8","unstructured":"Vincent, H.: GitHub Actions exploitation: self hosted runners. https:\/\/www.synacktiv.com\/en\/publications\/github-actions-exploitation-self-hosted-runners"},{"key":"14_CR9","unstructured":"Blit, R.: GitHub, PyTorch and More Organizations Found Vulnerable to Self-Hosted Runner Attacks. https:\/\/www.legitsecurity.com\/blog\/github-pytorch-and-more-organizations-found-vulnerable-to-self-hosted-runner-attacks"},{"key":"14_CR10","unstructured":"Lobacevski, J.: Keeping your GitHub Actions and workflows secure Part 2: Untrusted input. https:\/\/securitylab.github.com\/resources\/github-actions-untrusted-input\/"},{"key":"14_CR11","unstructured":"GitHub. Security hardening for GitHub Actions. https:\/\/docs.github.com\/en\/actions\/security-for-github-actions\/security-guides\/security-hardening-for-github-actions"},{"key":"14_CR12","doi-asserted-by":"crossref","unstructured":"Cardoen, G., Mens, T., Decan, A.: A dataset of GitHub Actions workflow histories. In: Proceedings of the 21st International Conference on Mining Software Repositories (MSR), pp. 677\u2013681. ACM (2024)","DOI":"10.1145\/3643991.3644867"},{"key":"14_CR13","unstructured":"Pecka, N., Othmane, L., Valani, A.: Making Secure Software Insecure without Changing Its Code: The Possibilities and Impacts of Attacks on the DevOps Pipeline (2022). http:\/\/arxiv.org\/abs\/2201.12879"},{"key":"14_CR14","doi-asserted-by":"crossref","unstructured":"Pecka, N., Ben\u00a0Othmane, L., Valani, A.: Privilege escalation attack scenarios on the DevOps pipeline within a kubernetes environment. In: Proceedings of the International Conference on Software and System Processes and International Conference on Global Software Engineering (ICSSP), pp. 45\u201349. ACM (2022)","DOI":"10.1145\/3529320.3529325"},{"key":"14_CR15","doi-asserted-by":"crossref","unstructured":"Benedetti, G., Verderame, L., Merlo, A.: Automatic security assessment of github actions workflows. In: Proceedings Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED), pp. 37\u201345. ACM (2022)","DOI":"10.1145\/3560835.3564554"},{"key":"14_CR16","doi-asserted-by":"crossref","unstructured":"Kushwaha, M.K., David, P., Suseela, G.: Automation and DevSecOps: streamlining security measures in financial system. In: Proceedings of the International Conference on Electronics, Computing and Communication Technologies (CONECCT), pp. 1\u20136 (2024)","DOI":"10.1109\/CONECCT62155.2024.10677271"},{"issue":"1","key":"14_CR17","doi-asserted-by":"publisher","first-page":"403","DOI":"10.1109\/TDSC.2023.3253572","volume":"21","author":"Z Pan","year":"2024","unstructured":"Pan, Z., et al.: Ambush from all sides: understanding security threats in open-source software CI\/CD pipelines. IEEE Trans. Dependable Secure Comput. 21(1), 403\u2013418 (2024)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"14_CR18","doi-asserted-by":"crossref","unstructured":"Li, Z., et al.: Robbery on DevOps: understanding and mitigating illicit cryptomining on continuous integration service platforms. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 2397\u20132412 (2022)","DOI":"10.1109\/SP46214.2022.9833803"},{"key":"14_CR19","doi-asserted-by":"crossref","unstructured":"Paule, C., D\u00fcllmann, T.F., Van\u00a0Hoorn, A.: Vulnerabilities in continuous delivery pipelines? A case study. In: 2019 IEEE International Conference on Software Architecture Companion (ICSA-C), pp. 102\u2013108 (2019)","DOI":"10.1109\/ICSA-C.2019.00026"},{"key":"14_CR20","unstructured":"Koishybayev, I., et al.: Characterizing the security of github CI workflows. In: 31st USENIX Security Symposium (USENIX Security 2022), pp. 2747\u20132763 (2022)"},{"key":"14_CR21","unstructured":"Muralee, S., et al.: ARGUS: a framework for staged static taint analysis of github workflows and actions. In: Proceedings of the 32nd USENIX Security Symposium (USENIX Security 2023), pp. 6983\u20137000 (2023)"},{"key":"14_CR22","doi-asserted-by":"crossref","unstructured":"Khatami, A., Willekens, C., Zaidman, A.: Catching smells in the act: a github actions workflow investigation. In: 2024 IEEE International Conference on Source Code Analysis and Manipulation (SCAM), pp. 47\u201358 (2024)","DOI":"10.1109\/SCAM63643.2024.00015"},{"key":"14_CR23","unstructured":"Daniel, K., Omer, G.: OWASP Top 10 CI\/CD Security Risks. https:\/\/owasp.org\/www-project-top-10-ci-cd-security-risks"},{"key":"14_CR24","unstructured":"OpenSSF. Mitigating Attack Vectors in GitHub Workflows. https:\/\/openssf.org\/blog\/2024\/08\/12\/mitigating-attack-vectors-in-github-workflows\/"},{"key":"14_CR25","unstructured":"Khan, A.: One Supply Chain Attack to Rule Them All \u2013 Poisoning GitHub\u2019s Runner Images. https:\/\/adnanthekhan.com\/2023\/12\/20\/one-supply-chain-attack-to-rule-them-all\/"},{"key":"14_CR26","unstructured":"Khan, A.: The Monsters in Your Build Cache \u2013 GitHub Actions Cache Poisoning. https:\/\/adnanthekhan.com\/2024\/05\/06\/the-monsters-in-your-build-cache-github-actions-cache-poisoning"},{"key":"14_CR27","unstructured":"Renaux, J.: Use GitHub actions at your own risk. https:\/\/julienrenaux.fr\/2019\/12\/20\/github-actions-security-risk\/"},{"key":"14_CR28","doi-asserted-by":"crossref","unstructured":"Decan, A., Mens, T., Mazrae, P.R., Golzadeh, M.: On the use of github actions in software development repositories. In: 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 235\u2013245 (2022)","DOI":"10.1109\/ICSME55016.2022.00029"},{"key":"14_CR29","unstructured":"Lobacevski, J.: Producing artifacts. https:\/\/securitylab.github.com\/resources\/github-actions-preventing-pwn-requests\/"},{"key":"14_CR30","unstructured":"Khan, A.: Long Live the Pwn Request. https:\/\/www.praetorian.com\/blog\/pwn-request-hacking-microsoft-github-repositories-and-more\/"},{"key":"14_CR31","unstructured":"Heap, M.: The ultimate guide to GitHub Actions authentication. https:\/\/michaelheap.com\/ultimate-guide-github-actions-authentication\/"},{"key":"14_CR32","unstructured":"Mackenzie. Biggest security takeaway of 2020 - Don\u2019t leak secrets on GitHub. https:\/\/dev.to\/advocatemack\/biggest-security-takeaway-of-2020-don-t-leak-secrets-on-github-44k2"},{"key":"14_CR33","doi-asserted-by":"crossref","unstructured":"McIntosh, S.: Mining our way back to incremental builds for DevOps pipelines. In: Proceedings of the 21st International Conference on Mining Software Repositories (MSR), pp. 48\u201349. ACM (2024)","DOI":"10.1145\/3643991.3649106"},{"key":"14_CR34","unstructured":"Brudo, B.: GitHub Cache Poisoning. https:\/\/scribesecurity.com\/blog\/github-cache-poisoning"},{"key":"14_CR35","unstructured":"Noam, D.: GitHub Actions That Open the Door to CI\/CD Pipeline Attacks. https:\/\/www.legitsecurity.com\/blog\/github-actions-that-open-the-door-to-cicd-pipeline-attacks"},{"key":"14_CR36","unstructured":"Noam, D.: Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable. https:\/\/www.legitsecurity.com\/blog\/artifact-poisoning-vulnerability-discovered-in-rust"},{"key":"14_CR37","unstructured":"Khan, A.: Cacheract: The Monster in your Build Cache. https:\/\/adnanthekhan.com\/2024\/12\/21\/cacheract-the-monster-in-your-build-cache\/"},{"key":"14_CR38","unstructured":"Lobacevski, J.: Producing artifacts. https:\/\/slsa.dev\/spec\/v1.0\/requirements#isolated"},{"key":"14_CR39","unstructured":"Cardoen, G.: A dataset of GitHub Actions workflow histories (2024), version Number: 2024-10-25. https:\/\/doi.org\/10.5281\/zenodo.13985548"}],"container-title":["Lecture Notes in Computer Science","Product-Focused Software Process Improvement"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-12089-2_14","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T04:15:10Z","timestamp":1763525710000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-12089-2_14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,20]]},"ISBN":["9783032120885","9783032120892"],"references-count":39,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-12089-2_14","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,11,20]]},"assertion":[{"value":"20 November 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"PROFES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Product-Focused Software Process Improvement","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Salerno","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Italy","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"1 December 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"3 December 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"profes2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/conf.researchr.org\/home\/profes-2025","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}