An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories
share
In open-source projects, anyone can contribute, so it is important to have an active continuous integration and continuous delivery (CI/CD) pipeline in addition to a protocol for reporting security concerns, especially in projects that are widely used and belong to the software supply chain. Many of these projects are hosted on GitHub, where maintainers can create automated workflows using GitHub Actions, introduced in 2019, for inspecting proposed changes to source code and defining a security policy for reporting vulnerabilities. We conduct an empirical study to measure the usage of GitHub workflows and security policies in thousands of popular repositories based on the number of stars. After querying the top one-hundred and top one-thousand repositories from all 181 trending GitHub topics, and the top 4,900 overall repositories, totaling just over 173 thousand projects, we find that 37 workflows enabled and 7 repositories from each of the 34 most popular programming languages on GitHub, 2,040 projects total, we find that 57 17 that have support for GitHub CodeQL static analysis, which performs bug and vulnerability checks, only 13.5 1.7 workflow. These results highlight that open-source project maintainers should prioritize configuring workflows, enabling automated static analysis whenever possible, and defining a security policy to prevent vulnerabilities from being introduced or remaining in source code.
READ FULL TEXT