Persistent Risks in GitHub Actions: How Developers Address, Prioritize, or Neglect Security Vulnerabilities in CI/CD Pipelines

Context

The increasing adoption of continuous integration and continuous deployment (CI/CD) practices has transformed software development, with GitHub Actions playing a key role in automating workflows. Many projects rely on third-party GitHub Actions, which streamline deployment but also introduce security vulnerabilities due to outdated dependencies, excessive permissions, or lack of maintenance.

Despite the availability of security mechanisms such as Dependabot alerts and the GitHub Advisory Database, vulnerabilities often remain unpatched for long periods, leaving repositories exposed to supply chain attacks. Understanding how developers address, prioritize, or neglect these vulnerabilities is key to improving security practices in CI/CD environments.

Motivation

Security vulnerabilities in package managers like npm and PyPI have been extensively analyzed, leading to automated dependency management tools that help mitigate risks. In contrast, the security risks associated with GitHub Actions workflows remain underexplored, despite their widespread adoption in CI/CD automation. Unlike traditional package dependencies, third-party GitHub Actions execute within privileged environments, interact dynamically with repositories, and often lack strict versioning or long-term maintenance. These characteristics increase the likelihood of vulnerabilities persisting unnoticed.

Developers frequently overlook or delay updates to these actions, even when security alerts are issued. This pattern raises concerns about the effectiveness of security notifications, the factors influencing remediation, and the timeframe in which vulnerabilities remain unaddressed. Some vulnerabilities may be fixed quickly, while others remain unresolved for extended periods, exposing repositories to long-term security risks. Identifying the scope of unaddressed vulnerabilities, understanding how developers respond to alerts, and examining the obstacles to remediation will clarify the security challenges in GitHub Actions workflows.

Goal

The goal of this project is to conduct an empirical study on how developers respond to security vulnerabilities in third-party GitHub Actions used in CI/CD pipelines. The study will focus on:

1. Quantifying the prevalence of unresolved vulnerabilities in GitHub Actions.
2. Analyzing developer responses to security alerts.
3. Identifying the key factors that determine whether vulnerabilities are mitigated, ignored, or left unresolved.
4. Measuring how long vulnerabilities remain unpatched.
5. Evaluating the effectiveness of GitHub’s security alert mechanisms (e.g., Dependabot, GitHub Advisory Database).

Requirements

• Proficiency in Python/R for data analysis.
• Knowledge of Git and version control systems.
• Familiarity with empirical software engineering and data-driven research methods is beneficial.

Pointers

• Koishybayev, I. et al. (2022).  Characterizing the Security of GitHub CI Workflows
• OWASP (2021).  Top 10 CI/CD Security Risks
• Williams, L., et al. (2025).  Research Directions in Software Supply Chain Security
• Miller, C. et al. (2025).  Understanding the response to open-source dependency abandonment in the npm ecosystem
• Onsori H. et al (2024).  Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows