5Kas
How safe is it to use a Github Action contributed by a third party?
I'm considering using a Github Action from the Github Marketplace to back up some of my source code to an AWS S3 bucket.
My question is this: I found a Github Action, written by a third-party open source contributor, with its source code available on Github. Should I be concerned about the security of this arrangement?
- What would prevent the contributor from giving access to the Github Action source repo to someone else (potentially a malicious actor) who could then modify the action code?
- Does Github validate that these contributed Actions are not malicious and do only what they claim to do?
- If so, do they validate this each time a code change is made to the Action repo? Each time that a new version of the Action is released?
I'm concerned that a malicious actor could modify the Github Action code unbeknownst to me and copy my source code to a location of their choosing.
