Automatic security check information on each Actions listing

[github-product-roadmap]

Summary

Today, there is no way for consumer of individual actions to determine its trustworthiness and quality, other than analyzing whether it comes from a verified creator. Enterprises have been asking for actions that follow standards (e.g: CodeQL, timely dependency updates, etc.).

When this work is complete, we will automatically run checks on repositories hosting published Actions to determine if the repository where the Action is hosted follows security best practices. We use a subset of OpenSSF (Open Source Security Foundation) scorecard checks to make this determination and publish that metadata as part of the Action listing page and details.

Intended Outcome

We are building this to continue our credibility with customers that GitHub is serious about security. With 17K actions on the Marketplace and more getting added every day, it's imperative that we surface the necessary metadata for consumers to be able to make decisions about what actions they can rely on.

How will it work?

Whenever there's a state change in a repository (based on certain rules) a dynamic workflow is kicked off to run the checks. The results from the scoring are then surfaced on to the listing page. Since it's a new change, once we go GA, we will give action creators a grace period to make any desired changes, after which the results will be automatically published to the listing details page. New actions authored and published after the GA date will automatically get graded.

These checks against a repository that's hosting the action will evaluate holistic security practices, source risk assessment and build risk assessment.

[ankneis]

This issue is being closed as outdated. For more information, please check out this Discussion post. Stay tuned for new additions to our refreshed public roadmap!

[ankneis]

We wanted to provide more details on why we removed this from the roadmap. We're continuing to invest in the security of the Actions ecosystem, and giving publishers and consumers tools to verify and attest to the source of workflows and artifacts created with them.

Currently, we are prioritizing investments into Immutable Actions (#592), release and artifact attestations. We're removing this change from the roadmap for now while we focus our investment into those areas.

If you’re interested in this feature, please share your feedback in the GitHub community so we can track interest and consider it in the future.