Hi Github & Gitleak Users,
I wanted to use a SAST tool gitleaks / gitleaks-action which is available on gihub marketplace and it fits our requirement.
My concern is ,
Since the scanner going to run on public and private repo of our GitHub organisation, is it completely safe to trust apps available on the Github Marketplace (which is available free).
is "MIT License" requirement has check in place to ensure integrity of the tool made available so that endusers can install these security tools with confidence ? After the GitHub repo scanned by gitleaks, the result obtained kept secured?
Thanks,
Your question is not duplicated, but it looks a lot like this one.
The answer is (unfortunately) NO
It is NOT completely safe to trust apps available on the Github Marketplace.
You can find some references here:
Understand that this is the same thing with most libraries you use to code on a daily basis.
Github Actions on the Github Marketplace are generally public open source repositories, and aren't always backed-up by big companies.
Most of them do simple operations that you can check by looking at the repository code, but it is always possible for the owner to configure malicious things deep inside the implementation.
That's why you need to be aware of this when choosing one or another action/library, and be cautious and check the code and its eventual vulnerabilities before using them for your own projects.
Be even more cautious if you need to inform Personal Access Token (PAT) as input variable.
Note that Github shows verified users on the Marketplace, which can be considered as 'trusted'.
Example:
Hopefully, not everyone has this mindset (of doing malicious things), and the community is most of the time helpful. Just be aware that there might always be some risks (and some security tools can help with that).