{"id":"https://openalex.org/W4308562592","doi":"https://doi.org/10.1145/3560835.3564554","title":"Automatic Security Assessment of GitHub Actions Workflows","display_name":"Automatic Security Assessment of GitHub Actions Workflows","publication_year":2022,"publication_date":"2022-11-08","ids":{"openalex":"https://openalex.org/W4308562592","doi":"https://doi.org/10.1145/3560835.3564554"},"language":"en","primary_location":{"id":"doi:10.1145/3560835.3564554","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3560835.3564554","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3560835.3564554","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","raw_type":"proceedings-article"},"type":"preprint","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3560835.3564554","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5018136746","display_name":"Giacomo Benedetti","orcid":"https://orcid.org/0000-0003-2609-6787"},"institutions":[{"id":"https://openalex.org/I83816512","display_name":"University of Genoa","ror":"https://ror.org/0107c5v14","country_code":"IT","type":"education","lineage":["https://openalex.org/I83816512"]}],"countries":["IT"],"is_corresponding":true,"raw_author_name":"Giacomo Benedetti","raw_affiliation_strings":["University of Genoa, Genova, Italy"],"affiliations":[{"raw_affiliation_string":"University of Genoa, Genova, Italy","institution_ids":["https://openalex.org/I83816512"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5086504975","display_name":"Luca Verderame","orcid":"https://orcid.org/0000-0001-7155-7429"},"institutions":[{"id":"https://openalex.org/I83816512","display_name":"University of Genoa","ror":"https://ror.org/0107c5v14","country_code":"IT","type":"education","lineage":["https://openalex.org/I83816512"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Luca Verderame","raw_affiliation_strings":["University of Genoa, Genova, Italy"],"affiliations":[{"raw_affiliation_string":"University of Genoa, Genova, Italy","institution_ids":["https://openalex.org/I83816512"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5077703323","display_name":"Alessio Merlo","orcid":"https://orcid.org/0000-0002-2272-2376"},"institutions":[{"id":"https://openalex.org/I83816512","display_name":"University of Genoa","ror":"https://ror.org/0107c5v14","country_code":"IT","type":"education","lineage":["https://openalex.org/I83816512"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Alessio Merlo","raw_affiliation_strings":["University of Genoa, Genova, Italy"],"affiliations":[{"raw_affiliation_string":"University of Genoa, Genova, Italy","institution_ids":["https://openalex.org/I83816512"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5018136746"],"corresponding_institution_ids":["https://openalex.org/I83816512"],"apc_list":null,"apc_paid":null,"fwci":5.7429,"has_fulltext":true,"cited_by_count":20,"citation_normalized_percentile":{"value":0.96291765,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"37","last_page":"45"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9958000183105469,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9958000183105469,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9878000020980835,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10430","display_name":"Software Engineering Techniques and Practices","score":0.9786999821662903,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/devops","display_name":"DevOps","score":0.8176164627075195},{"id":"https://openalex.org/keywords/workflow","display_name":"Workflow","score":0.8041209578514099},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7781772613525391},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.5498072504997253},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5413787364959717},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.5205475091934204},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.5126794576644897},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.47098562121391296},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3424645662307739},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.2239179015159607},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.17803320288658142},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.1519838273525238},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.14790111780166626}],"concepts":[{"id":"https://openalex.org/C9903902","wikidata":"https://www.wikidata.org/wiki/Q3025536","display_name":"DevOps","level":3,"score":0.8176164627075195},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.8041209578514099},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7781772613525391},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.5498072504997253},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5413787364959717},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.5205475091934204},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.5126794576644897},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.47098562121391296},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3424645662307739},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.2239179015159607},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.17803320288658142},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.1519838273525238},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.14790111780166626}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3560835.3564554","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3560835.3564554","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3560835.3564554","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","raw_type":"proceedings-article"},{"id":"pmh:oai:iris.unige.it:11567/1145556","is_oa":true,"landing_page_url":"https://hdl.handle.net/11567/1145556","pdf_url":null,"source":{"id":"https://openalex.org/S4377196291","display_name":"CINECA IRIS Institutial Research Information System (University of Genoa)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I83816512","host_organization_name":"University of Genoa","host_organization_lineage":["https://openalex.org/I83816512"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"info:eu-repo/semantics/conferenceObject"}],"best_oa_location":{"id":"doi:10.1145/3560835.3564554","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3560835.3564554","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3560835.3564554","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4308562592.pdf","grobid_xml":"https://content.openalex.org/works/W4308562592.grobid-xml"},"referenced_works_count":4,"referenced_works":["https://openalex.org/W3030378309","https://openalex.org/W3155859537","https://openalex.org/W3156903202","https://openalex.org/W3196277935"],"related_works":["https://openalex.org/W4220665054","https://openalex.org/W4242507731","https://openalex.org/W2588979697","https://openalex.org/W3108642418","https://openalex.org/W2471667150","https://openalex.org/W2911278647","https://openalex.org/W2887439684","https://openalex.org/W2744284456","https://openalex.org/W2503060256","https://openalex.org/W4225698753"],"abstract_inverted_index":{"The":[0,122],"demand":[1],"for":[2,95],"quick":[3],"and":[4,43,115,150,154],"reliable":[5],"DevOps":[6],"operations":[7,21],"pushed":[8],"distributors":[9],"of":[10,74,133],"repository":[11,25],"platforms":[12],"to":[13,139],"implement":[14],"workflows.":[15],"Workflows":[16],"allow":[17],"automating":[18],"code":[19,53],"management":[20],"directly":[22,37],"on":[23,82,118],"the":[24,27,39,45,51,72,83,109,140,146],"hosting":[26],"software.":[28],"However,":[29],"this":[30,75,78],"feature":[31],"also":[32],"introduces":[33],"security":[34,92,135],"issues":[35,136],"that":[36,145],"affect":[38,64],"repository,":[40],"its":[41],"content,":[42],"all":[44],"software":[46,67,104],"supply":[47,105],"chains":[48],"in":[49,77,103,111],"which":[50,99],"hosted":[52],"is":[54,148],"involved":[55],"in.":[56],"Hence,":[57],"an":[58],"attack":[59],"exploiting":[60],"vulnerable":[61],"workflows":[62],"can":[63],"disruptively":[65],"large":[66],"ecosystems.":[68],"To":[69],"empirically":[70],"assess":[71],"importance":[73],"problem,":[76],"paper,":[79],"we":[80],"focus":[81],"de-facto":[84],"main":[85],"distributor":[86],"(i.e.,":[87],"GitHub).":[88],"We":[89,107],"developed":[90],"a":[91,112,131],"assessment":[93],"methodology":[94,110],"GitHub":[96],"Actions":[97],"workflows,":[98],"are":[100,125],"widely":[101],"adopted":[102],"chains.":[106],"implemented":[108],"tool":[113],"(GHAST)":[114],"applied":[116],"it":[117],"50":[119],"open-source":[120],"projects.":[121],"experimental":[123],"results":[124],"worrisome":[126],"as":[127],"they":[128],"allowed":[129],"identifying":[130],"total":[132],"24,905":[134],"(all":[137],"reported":[138],"corresponding":[141],"stakeholders),":[142],"thereby":[143],"indicating":[144],"problem":[147],"open":[149],"demands":[151],"further":[152],"research":[153],"investigation.":[155]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":5}],"updated_date":"2026-04-23T09:07:50.710637","created_date":"2025-10-10T00:00:00"}