In open-source projects, anyone can contribute, so it is important to have an active continuous integration and continuous delivery (CI/CD) pipeline in addition to a protocol for reporting security concerns, especially in projects that are widely used and belong to the software supply chain. Many of these projects are hosted on GitHub, where maintainers can create automated workflows using GitHub Actions, introduced in 2019, for inspecting proposed changes to source code and defining a security policy for reporting vulnerabilities. We conduct an empirical study to measure the usage of GitHub workflows and security policies in thousands of popular repositories based on the number of stars. After querying the top one-hundred and top one-thousand repositories from all 181 trending GitHub topics, and the top 4,900 overall repositories, totaling just over 173 thousand projects, we find that 37% of projects have workflows enabled and 7% have a security policy in place. Using the top 60 repositories from each of the 34 most popular programming languages on GitHub, 2,040 projects total, we find that 57% of projects have workflows enabled and 17% have a security policy in place. Furthermore, from those top repositories that have support for GitHub CodeQL static analysis, which performs bug and vulnerability checks, only 13.5% have it enabled; in fact, we find that only 1.7% of the top repositories using Kotlin have an active CodeQL scanning workflow. These results highlight that open-source project maintainers should prioritize configuring workflows, enabling automated static analysis whenever possible, and defining a security policy to prevent vulnerabilities from being introduced or remaining in source code.

翻译：在开源项目中，任何人都可以贡献代码，因此除了建立安全问题的报告协议外，拥有活跃的持续集成与持续交付（CI/CD）流水线至关重要。这一需求在广泛使用且属于软件供应链的项目中尤为突出。许多此类项目托管于GitHub平台，维护者可通过GitHub Actions（2019年推出）创建自动化工作流以审查源代码变更，并定义安全策略来报告漏洞。我们开展了一项实证研究，基于星标数衡量数千个热门仓库中使用GitHub工作流和安全策略的情况。通过查询181个GitHub热门主题中排名前100和前1000的仓库，以及排名前4900的全域仓库（总计超过17.3万个项目），发现37%的项目启用了工作流，7%的项目建立了安全策略。进一步分析GitHub上最热门的34种编程语言中每种语言排名前60的仓库（共2040个项目），发现57%的项目启用了工作流，17%的项目建立了安全策略。此外，在那些支持GitHub CodeQL静态分析（用于执行漏洞与缺陷检测）的热门仓库中，仅有13.5%启用了该功能；实际上，在使用Kotlin的热门仓库中，仅1.7%拥有活跃的CodeQL扫描工作流。这些结果凸显出：开源项目维护者应优先配置工作流，尽可能启用自动化静态分析，并定义安全策略，以防止漏洞被引入或留存于源代码中。