{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T18:45:37Z","timestamp":1776883537702,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":29,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,8]],"date-time":"2022-11-08T00:00:00Z","timestamp":1667865600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,11]]},"DOI":"10.1145\/3560835.3564554","type":"proceedings-article","created":{"date-parts":[[2022,11,9]],"date-time":"2022-11-09T02:38:26Z","timestamp":1667961506000},"page":"37-45","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":19,"title":["Automatic Security Assessment of GitHub Actions Workflows"],"prefix":"10.1145","author":[{"given":"Giacomo","family":"Benedetti","sequence":"first","affiliation":[{"name":"University of Genoa, Genova, Italy"}]},{"given":"Luca","family":"Verderame","sequence":"additional","affiliation":[{"name":"University of Genoa, Genova, Italy"}]},{"given":"Alessio","family":"Merlo","sequence":"additional","affiliation":[{"name":"University of Genoa, Genova, Italy"}]}],"member":"320","published-online":{"date-parts":[[2022,11,8]]},"reference":[{"key":"e_1_3_2_2_1_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3-031--14179--9_19"},{"key":"e_1_3_2_2_2_1","volume-title":"Retrieved","author":"Open Policy","year":"2022","unstructured":"Open Policy Agent contributors. 2022. Open policy agent. Retrieved July 22, 2022 from https:\/\/www.openpolicyagent.org."},{"key":"e_1_3_2_2_3_1","volume-title":"Retrieved","author":"Cybersecurity and Infrastructure Security Agency","year":"2021","unstructured":"Cybersecurity and Infrastructure Security Agency. 2021. Defending Against Software Supply Chain Attacks. Retrieved July 22, 2022 from https:\/\/www.cisa .gov\/sites\/default\/files\/publications\/defending_against_sof tware_supply_ch ain_attacks_508_1.pdf."},{"key":"e_1_3_2_2_4_1","volume-title":"Publications Office. Retrieved","author":"European Union Agency for Cybersecurity.","year":"2021","unstructured":"European Union Agency for Cybersecurity. 2021. ENISA threat landscape for supply chain attacks. Publications Office. Retrieved July 22, 2022 from https:\/\/d ata.europa.eu\/doi\/10.2824\/168593."},{"key":"e_1_3_2_2_5_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. Automatic token authentication. Retrieved July 22, 2022 from https:\/\/docs.github.com\/en\/actions\/security-guides\/automatic-token-authen tication."},{"key":"e_1_3_2_2_6_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. GitHub actions. Retrieved July 22, 2022 from https:\/\/docs.github .com\/en\/actions."},{"key":"e_1_3_2_2_7_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. GitHub contexts - github. Retrieved July 22, 2022 from https:\/\/d ocs.github.com\/en\/actions\/learn-github-actions\/contexts#github-context."},{"key":"e_1_3_2_2_8_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. GitHub contexts - secrets. Retrieved July 22, 2022 from https:\/\/d ocs.github.com\/en\/actions\/learn-github-actions\/contexts#secrets-context."},{"key":"e_1_3_2_2_9_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. Reusing workflows. Retrieved July 22, 2022 from https:\/\/docs.git hub.com\/en\/actions\/using-workflows\/reusing-workflows."},{"key":"e_1_3_2_2_10_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. Security hardening for github actions. Retrieved July 22, 2022 from https:\/\/docs.github.com\/en\/actions\/security-guides\/security-hardening -for-github-actions."},{"key":"e_1_3_2_2_11_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. Security hardening for GitHub actions: restricting permissions for tokens. Retrieved July 22, 2022 from https:\/\/docs.github.com\/en\/actions\/se curity-guides\/security-hardening-for-github-actions#restricting-permission s-for-tokens."},{"key":"e_1_3_2_2_12_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. Security hardening for GitHub actions: using secrets. Retrieved July 22, 2022 from https:\/\/docs.github.com\/en\/actions\/security-guides\/security -hardening-for-github-actions#using-secrets."},{"key":"e_1_3_2_2_13_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. Security hardening for github actions: using third-party actions. Retrieved July 22, 2022 from https:\/\/docs.github.com\/en\/actions\/security-guid es\/security-hardening-for-github-actions#using-third-party-actions."},{"key":"e_1_3_2_2_14_1","volume-title":"Retrieved","year":"2022","unstructured":"GitHub. 2022. Using filters. Retrieved July 22, 2022 from https:\/\/docs.github.co m\/en\/actions\/using-workflows\/workflow-syntax-for-github-actions#usingfilters."},{"key":"e_1_3_2_2_15_1","unstructured":"GNU. 2020. Bash reference manual - command substitution. https:\/\/www.gnu .org\/savannah-checkouts\/gnu\/bash\/manual\/bash.html#Command-Substituti on."},{"key":"e_1_3_2_2_16_1","unstructured":"GNU. 2020. Bash reference manual - here documents. https:\/\/www.gnu.org\/sa vannah-checkouts\/gnu\/bash\/manual\/bash.html#Here-Documents."},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME46990.2020.00071"},{"key":"e_1_3_2_2_18_1","volume-title":"Retrieved","author":"Herr Trey","year":"2022","unstructured":"Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, Tianjiu Zuo, and Atlantic Council of the United States. 2021. Broken trust: lessons from Sunburst. Retrieved July 22, 2022 from https:\/\/www.atlanticcouncil.org\/in -depth-research-reports\/report\/broken-trust-lessons-from-sunburst\/."},{"key":"e_1_3_2_2_19_1","volume-title":"Retrieved","author":"Neo4j Inc.","year":"2022","unstructured":"Neo4j Inc. 2022. Neo4j graph database. Retrieved July 22, 2022 from https:\/\/ne o4j.com\/product\/neo4j-graph-database\/"},{"key":"e_1_3_2_2_20_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Koishybayev Igibek","year":"2022","unstructured":"Igibek Koishybayev, Aleksandr Nahapetyan, Raima Zachariah, Siddharth Muralee, Bradley Reaves, Alexandros Kapravelos, and Aravind Machiry. 2022. Characterizing the security of github CI workflows. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, (Aug. 2022), 2747--2763. isbn: 978--1--939133--31--1. https:\/\/www.usenix.org\/conferenc e\/usenixsecurity22\/presentation\/koishybayev."},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2021.3073045"},{"key":"e_1_3_2_2_22_1","volume-title":"Retrieved","author":"Logan Magno","year":"2022","unstructured":"Magno Logan. 2022. GitHub action runners: analyzing the environment and security in action. Retrieved July 22, 2022 from https:\/\/www.trendmicro.com\/v info\/us\/security\/news\/cybercrime-and-digital-threats\/github-action-runner s-analyzing-the-environment-and-security-in-action."},{"key":"e_1_3_2_2_23_1","volume-title":"Retrieved","author":"OWASP.","year":"2020","unstructured":"OWASP. 2020. OWASP Software Component Verification Standard. Retrieved July 22, 2022 from https:\/\/owasp.org\/www-project-sof tware-component-verif ication-standard\/."},{"key":"e_1_3_2_2_24_1","volume-title":"Retrieved","year":"2021","unstructured":"Radware. 2021. Log4shell: critical log4j vulnerability. Retrieved July 22, 2022 from https:\/\/www.radware.com\/security\/threat-advisories-and-attack-repor ts\/log4shell-critical-log4j-vulnerability\/."},{"key":"e_1_3_2_2_25_1","volume-title":"Retrieved","year":"2022","unstructured":"Scribe. 2022. Gitgat. Retrieved July 22, 2022 from https:\/\/github.com\/scribe-pu blic\/gitgat."},{"key":"e_1_3_2_2_26_1","volume-title":"Retrieved","author":"Segura Thomas","year":"2022","unstructured":"Thomas Segura. 2022. GitHub actions security best practices. Retrieved July 22, 2022 from https:\/\/blog.gitguardian.com\/github-actions-security-cheat-sheet\/."},{"key":"e_1_3_2_2_27_1","volume-title":"Retrieved","year":"2022","unstructured":"Tinder. 2022. Gh-workflow-auditor. Retrieved July 22, 2022 from https:\/\/githu b.com\/TinderSec\/gh-workflow-auditor."},{"key":"e_1_3_2_2_28_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Torres-Arias Santiago","year":"2019","unstructured":"Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, and Justin Cappos. 2019. In-toto: providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, (Aug. 2019), 1393--1410. isbn: 978--1- 939133-06--9. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentat ion\/torres-arias."},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468592"}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3560835.3564554","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3560835.3564554","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:09Z","timestamp":1750182549000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3560835.3564554"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,8]]},"references-count":29,"alternative-id":["10.1145\/3560835.3564554","10.1145\/3560835"],"URL":"https:\/\/doi.org\/10.1145\/3560835.3564554","relation":{},"subject":[],"published":{"date-parts":[[2022,11,8]]},"assertion":[{"value":"2022-11-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}