GitHub Action-Control: A Tool for Managing GitHub Actions Across Your Organization

By /

Listen to this Post

GitHub – ihavespoons/action-control: https://github.com/ihavespoons/action-control

Ben Gittins has developed action-control, a tool designed to help organizations manage and audit GitHub Actions usage across repositories. This tool provides visibility into which actions are being used, enforces security policies, and helps prevent supply chain attacks.

Key Features:

  • Scans single repositories or entire GitHub organizations to list actions in use.
  • Identifies most commonly used actions (with ongoing improvements).
  • Can be run as a GitHub Action to enforce allow/deny lists.

Upcoming Features:

  • Integration with GitHub Security Scanning API.
  • GitHub App for easier deployment.
  • Static analysis for action quality and safety.
  • Action pinning enforcement (similar to Ratchet).
  • Blacklisting malicious action versions.
  • Support for immutable actions.

You Should Know: How to Secure GitHub Actions in Your Workflow

GitHub Actions are powerful but can introduce security risks if misconfigured. Below are verified commands, scripts, and best practices to enhance security.

1. Enforce Action Pinning (SHA over Tags)

Using commit SHAs instead of tags prevents malicious updates.

steps: 
- uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675  SHA instead of @v3

2. Restrict Permissions with `permissions` Keyword

Limit unnecessary access:

permissions: 
contents: read 
issues: write

3. Audit Actions with `action-control`

Run the tool locally:

git clone https://github.com/ihavespoons/action-control.git 
cd action-control 
python3 -m pip install -r requirements.txt 
python3 action_control.py --org YOUR_ORG_NAME

4. Use GitHub’s Security Features

Enable Dependabot alerts and Code Scanning:

 Enable Dependabot via API (requires GH token) 
curl -X PUT \ 
-H "Authorization: token YOUR_GITHUB_TOKEN" \ 
-H "Accept: application/vnd.github.v3+json" \ 
https://api.github.com/repos/OWNER/REPO/vulnerability-alerts

5. Block Risky Actions with `allowed-actions`

In `workflow.yml`:

jobs: 
build: 
runs-on: ubuntu-latest 
steps: 
- uses: actions/checkout@v3 
- run: echo "Only trusted actions allowed" 
permissions: 
actions: read 
checks: write

6. Monitor Action Usage with GitHub API

List workflows in a repo:

curl -H "Authorization: token YOUR_GITHUB_TOKEN" \ 
https://api.github.com/repos/OWNER/REPO/actions/workflows

What Undercode Say

GitHub Actions are a critical part of CI/CD, but supply chain attacks are rising. Tools like `action-control` help organizations track, audit, and restrict third-party actions.

Additional Security Commands:

  • Check workflow syntax: 
    act --dry-run
  • List all workflows in an org: 
    gh api /orgs/ORG/actions/workflows --paginate
  • Revoke compromised tokens: 
    gh auth logout
  • Scan for secrets in workflows: 
    trufflehog git https://github.com/OWNER/REPO --only-verified

Final Tip: Always pin actions to full-length SHAs, review third-party code, and use automated scanning tools.

Expected Output:

A secure, auditable GitHub Actions workflow with minimized attack surface through pinning, permissions control, and automated enforcement.

GitHub – ihavespoons/action-control: https://github.com/ihavespoons/action-control

References:

Reported By: Ben Gittins – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: