actsense - GitHub Actions Security Auditor

Insufficient Audit Logging

Description

Deploy or publishing jobs that fetch secrets, push artifacts, or touch production often run without structured logging. If a credential is abused, there’s no trace of which workflow step used it, when, or with what parameters—making incident response nearly impossible. GitHub recommends emitting explicit audit logs (to stdout or external systems) for sensitive steps and using the organization audit log for GitHub-native events. ¹

Vulnerable Instance

Workflow publishes a package using production credentials.
No step logs who triggered the workflow, which version was deployed, or where artifacts were pushed.

name: Publish
on: workflow_dispatch
jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Publish package
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: npm publish

If the token leaks or is abused, there’s no record tying the action to a human or artifact.

Mitigation Strategies

Log sensitive steps
Emit structured JSON (timestamp, actor, commit SHA, artifact metadata) before and after deployments.
Store logs centrally
Ship logs to CloudWatch, Stackdriver, or another SIEM with retention and tamper protection.
Capture context
Include workflow ID, run URL, triggering user, inputs, and exit status in each log entry.
Alert on anomalies
Configure rules for unexpected branches, repeated failures, or off-hours deployments.
Leverage GitHub audit log
Enable org-level audit logging and correlate workflow events with GitHub-generated records. ¹

Secure Version

 name: Publish
 on: workflow_dispatch
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Log deployment start
+        run: |
+          echo "{\"event\":\"deploy_start\",\"run\":\"${{ github.run_id }}\",\"sha\":\"${{ github.sha }}\",\"actor\":\"${{ github.actor }}\"}" >> audit.log
       - name: Publish package
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish
+      - name: Ship audit log
+        run: curl -X POST https://logging.example.com -H "Content-Type: application/json" --data-binary @audit.log

Impact

Dimension	Severity	Notes
Likelihood		Logging is often skipped to keep workflows simple.
Risk		Lack of logs blocks incident response and compliance reporting.
Blast radius		Any environment touched by the workflow becomes opaque to investigations.

References

GitHub Docs, “Viewing your audit log,” https://docs.github.com/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/auditing-a-users-actions/viewing-your-audit-log ¹
GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/actions/security-guides/security-hardening-for-github-actions

GitHub Docs, “Viewing your audit log,” https://docs.github.com/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/auditing-a-users-actions/viewing-your-audit-log ↩︎ ↩︎ ↩︎

Last updated on January 1, 2026

Insecure Pull Request Target Large Matrix