An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories

In open-source projects, anyone can contribute, so it is important to have an active continuous integration and continuous delivery (CI/CD) pipeline in addition to a protocol for reporting security concerns, especially in projects that are widely used and belong to the software supply chain. Many of these projects are hosted on GitHub, where maintainers can create automated workflows using GitHub Actions, introduced in 2019, for inspecting proposed changes to source code and defining a security policy for reporting vulnerabilities. We conduct an empirical study to measure the usage of GitHub workflows and security policies in thousands of popular repositories based on the number of stars. After querying the top one-hundred and top one-thousand repositories from all 181 trending GitHub topics, and the top 4,900 overall repositories, totaling just over 173 thousand projects, we find that 37% of projects have workflows enabled and 7% have a security policy in place. Using the top 60 repositories from each of the 34 most popular programming languages on GitHub, 2,040 projects total, we find that 57% of projects have workflows enabled and 17% have a security policy in place. Furthermore, from those top repositories that have support for GitHub CodeQL static analysis, which performs bug and vulnerability checks, only 13.5% have it enabled; in fact, we find that only 1.7% of the top repositories using Kotlin have an active CodeQL scanning workflow. These results highlight that open-source project maintainers should prioritize configuring workflows, enabling automated static analysis whenever possible, and defining a security policy to prevent vulnerabilities from being introduced or remaining in source code.