GitHub Actions & Code Injection: Avoiding Vulnerable Configurations

GitHub Actions is an increasingly popular DevOps tool mainly due to its rich marketplace and ease-of-use. As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process.