Sher: A Secure Broker for DevSecOps and CI/CD Workflows  

作　　者：Pranau Kumar Vijay K. Madisetti Pranau Kumar;Vijay K. Madisetti(School of Cybersecurity and Privacy, Georgia Institute of Technology, Atlanta, USA)

机构地区：[1]School of Cybersecurity and Privacy, Georgia Institute of Technology, Atlanta, USA

出　　处：《Journal of Software Engineering and Applications》2024年第5期321-339,共19页软件工程与应用（英文）

摘　　要：GitHub Actions, a popular CI/CD platform, introduces significant security challenges due to its integration with GitHub’s open ecosystem and its use of flexible workflow configurations. This paper presents Sher, a Python-based tool that enhances the security of GitHub Actions by automating the detection and remediation of security issues in workflows. Self-Hosted Ephemeral Runner, or Sher, acts as a broker between GitHub’s APIs and a customizable, isolated environment, analyzing workflows through a static rules engine and automatically fixing identified issues. By providing a secure, ephemeral runner environment and a dynamic analysis tool, Sher addresses common misconfigurations and vulnerabilities, contributing to the resilience and integrity of DevSecOps practices within software development pipelines.GitHub Actions, a popular CI/CD platform, introduces significant security challenges due to its integration with GitHub’s open ecosystem and its use of flexible workflow configurations. This paper presents Sher, a Python-based tool that enhances the security of GitHub Actions by automating the detection and remediation of security issues in workflows. Self-Hosted Ephemeral Runner, or Sher, acts as a broker between GitHub’s APIs and a customizable, isolated environment, analyzing workflows through a static rules engine and automatically fixing identified issues. By providing a secure, ephemeral runner environment and a dynamic analysis tool, Sher addresses common misconfigurations and vulnerabilities, contributing to the resilience and integrity of DevSecOps practices within software development pipelines.

关 键 词：CI/CD Pipelines GitHub GitOps DevSecOps ISOLATION Security SAST 

分 类 号：TP3[自动化与计算机技术—计算机科学与技术]