Defending GitHub Actions: Security Analysis with GASA

The video introduces GASA (GitHub Actions Security Analyzer), a Go‑based utility that audits GitHub Actions configurations across repositories. Its primary goal is to surface insecure admin settings—such as permissive pull‑request‑target events, missing hash pinning, and overly broad workflow permissions—so teams can remediate them before they become exploitable. The presenter walks through GASA’s core checks, noting that it leverages the local GitHub CLI for authentication, eliminating the need for personal access tokens. By scanning repository‑level, organization‑level, and enterprise‑level settings, the tool can evaluate a single repo or scale to thousands, providing a consolidated view of potential exposure. He highlights seven “sins” the analyzer currently flags, referencing a broader DevOps practice of logging technical debt as “Sins of the Data Center.” A memorable quote underscores the risk: “pull‑request‑target is a big no‑no, especially in public repos.” The discussion also touches on cultural aspects—reducing blame and tracking shortcuts—to foster continuous improvement. If adopted, GASA could become a standard part of CI/CD pipelines, either as a standalone CLI or a GitHub Action, helping organizations harden their automation surface, lower supply‑chain risk, and align security with DevOps principles.