0

Hi Github & Gitleak Users,

I wanted to use a SAST tool gitleaks / gitleaks-action which is available on gihub marketplace and it fits our requirement.

My concern is ,

Since the scanner going to run on public and private repo of our GitHub organisation, is it completely safe to trust apps available on the Github Marketplace (which is available free).

is "MIT License" requirement has check in place to ensure integrity of the tool made available so that endusers can install these security tools with confidence ? After the GitHub repo scanned by gitleaks, the result obtained kept secured?

Thanks,

rgh
  • 40
  • 2
  • 11

1 Answers1

0

Your question is not duplicated, but it looks a lot like this one.

The answer is (unfortunately) NO

It is NOT completely safe to trust apps available on the Github Marketplace.

You can find some references here:

Understand that this is the same thing with most libraries you use to code on a daily basis.

Github Actions on the Github Marketplace are generally public open source repositories, and aren't always backed-up by big companies.

Most of them do simple operations that you can check by looking at the repository code, but it is always possible for the owner to configure malicious things deep inside the implementation.

That's why you need to be aware of this when choosing one or another action/library, and be cautious and check the code and its eventual vulnerabilities before using them for your own projects.

Be even more cautious if you need to inform Personal Access Token (PAT) as input variable.

Note that Github shows verified users on the Marketplace, which can be considered as 'trusted'.

Example:

enter image description here

Hopefully, not everyone has this mindset (of doing malicious things), and the community is most of the time helpful. Just be aware that there might always be some risks (and some security tools can help with that).

GuiFalourd
  • 15,523
  • 8
  • 44
  • 71
  • Thanks, the consolidated shared info helped a lot. I am surprised to see most stared apps like gitleaks is not having "Verified" badge ( domain is not Verified domains). Insted of using GitHub Apps in GitHub Actions, is it recommended to host the same App (like gitleaks) on a in-premises host, is this approach better than running the app using GitHub Actions? – rgh Jun 03 '21 at 17:59
  • I don't think those approaches are different. If you trust the **Gitleaks** app, there is not problem using its action with Github Actions, the behaviour will be the same either on Github Actions or in a in-premisses host (the libraries, codes or actions you'll use will be the same in both approaches). – GuiFalourd Jun 03 '21 at 18:15