An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories
May 25, 2023 Β· Declared Dead Β· π International Workshop on Support Vector Machines
"No code URL or promise found in abstract"
Evidence collected by the PWNC Scanner
Authors
Jessy Ayala, Joshua Garcia
arXiv ID
2305.16120
Category
cs.SE: Software Engineering
Cross-listed
cs.CR
Citations
12
Venue
International Workshop on Support Vector Machines
Last Checked
4 months ago
Abstract
In open-source projects, anyone can contribute, so it is important to have an active continuous integration and continuous delivery (CI/CD) pipeline in addition to a protocol for reporting security concerns, especially in projects that are widely used and belong to the software supply chain. Many of these projects are hosted on GitHub, where maintainers can create automated workflows using GitHub Actions, introduced in 2019, for inspecting proposed changes to source code and defining a security policy for reporting vulnerabilities. We conduct an empirical study to measure the usage of GitHub workflows and security policies in thousands of popular repositories based on the number of stars. After querying the top one-hundred and top one-thousand repositories from all 181 trending GitHub topics, and the top 4,900 overall repositories, totaling just over 173 thousand projects, we find that 37% of projects have workflows enabled and 7% have a security policy in place. Using the top 60 repositories from each of the 34 most popular programming languages on GitHub, 2,040 projects total, we find that 57% of projects have workflows enabled and 17% have a security policy in place. Furthermore, from those top repositories that have support for GitHub CodeQL static analysis, which performs bug and vulnerability checks, only 13.5% have it enabled; in fact, we find that only 1.7% of the top repositories using Kotlin have an active CodeQL scanning workflow. These results highlight that open-source project maintainers should prioritize configuring workflows, enabling automated static analysis whenever possible, and defining a security policy to prevent vulnerabilities from being introduced or remaining in source code.
Community Contributions
Found the code? Know the venue? Think something is wrong? Let us know!
π Similar Papers
In the same crypt β Software Engineering
R.I.P.
π»
Ghosted
R.I.P.
π»
Ghosted
Microservices: yesterday, today, and tomorrow
π
π
The Cartographer
A Survey of Machine Learning for Big Code and Naturalness
R.I.P.
π»
Ghosted
An Overview on Smart Contracts: Challenges, Advances and Platforms
R.I.P.
π»
Ghosted
Slither: A Static Analysis Framework For Smart Contracts
R.I.P.
π»
Ghosted
ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection
Died the same way β π» Ghosted
R.I.P.
π»
Ghosted
Federated Learning: Strategies for Improving Communication Efficiency
R.I.P.
π»
Ghosted
In-Datacenter Performance Analysis of a Tensor Processing Unit
R.I.P.
π»
Ghosted
Deep Convolutional Neural Networks for Computer-Aided Detection: CNN Architectures, Dataset Characteristics and Transfer Learning
R.I.P.
π»
Ghosted