GASH – The GitHub Actions Smell Hunter
Resumo
The CI/CD pipeline configuration is a challenging and error-prone task. Its misconfiguration threatens the project’s security, maintenance, and quality. Such configuration problems called “configuration smells” are patterns in the configuration that, while not necessarily incorrect, indicate potential issues that could compromise the pipeline efficiency, reliability, or security. Detecting these smells is key to managing and addressing them for maintaining high-quality and secure CI/CD workflows. This paper introduces GASH (GitHub Actions Smell Hunter), a Pythonic tool devoted to detecting configuration smells in GitHub Actions CI/CD pipelines. Our tool can detect nine configuration smells categorized into three groups: security (5), maintenance and reliability (3), and code quality (1). GASH provides features to support researchers in performing large-scale studies regarding configuration smells and practitioners in continuously analyzing their own pipelines. We evaluate GASH against a manually labeled “gold standard” based on 15 open-source projects comprising 66 CI/CD pipeline configurations. The results show that GASH performed well, achieving F1-score greater than 0.8 for most configuration smells.
Palavras-chave:
CI/CD, GitHub Actions, Configuration Smells, Static Analysis
Referências
Kinsman, T., Wessel, M., Gerosa, M. A., and Treude, C. (2021). How do software developers use github actions to automate their workflows? In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR), pages 420–431.
Rahman, A., Parnin, C., and Williams, L. (2019). The seven sins: Security smells in infrastructure as code scripts. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 164–175.
Spadini, D., Aniche, M., and Bacchelli, A. (2018). PyDriller: Python framework for mining software repositories. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering - ESEC/FSE 2018, pages 908–911, New York, New York, USA. ACM Press.
Vasilescu, B., Yu, Y., Wang, H., Devanbu, P., and Filkov, V. (2015). Quality and productivity outcomes relating to continuous integration in github. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, page 805–816, New York, NY, USA. Association for Computing Machinery.
Vassallo, C., Proksch, S., Jancso, A., Gall, H. C., and Di Penta, M. (2020). Configuration smells in continuous delivery pipelines: a linter and a six-month study on gitlab. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2020, page 327–337, New York, NY, USA. Association for Computing Machinery.
Wessel, M., Vargovich, J., Gerosa, M. A., and Treude, C. (2023). Github actions: The impact on the pull request process. Empirical Softw. Engg., 28(6).
Zhang, Y., Wu, Y., Chen, T., Wang, T., Liu, H., and Wang, H. (2024). How do developers talk about github actions? evidence from online software development community. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, ICSE ’24, New York, NY, USA. Association for Computing Machinery.
Rahman, A., Parnin, C., and Williams, L. (2019). The seven sins: Security smells in infrastructure as code scripts. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 164–175.
Spadini, D., Aniche, M., and Bacchelli, A. (2018). PyDriller: Python framework for mining software repositories. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering - ESEC/FSE 2018, pages 908–911, New York, New York, USA. ACM Press.
Vasilescu, B., Yu, Y., Wang, H., Devanbu, P., and Filkov, V. (2015). Quality and productivity outcomes relating to continuous integration in github. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, page 805–816, New York, NY, USA. Association for Computing Machinery.
Vassallo, C., Proksch, S., Jancso, A., Gall, H. C., and Di Penta, M. (2020). Configuration smells in continuous delivery pipelines: a linter and a six-month study on gitlab. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2020, page 327–337, New York, NY, USA. Association for Computing Machinery.
Wessel, M., Vargovich, J., Gerosa, M. A., and Treude, C. (2023). Github actions: The impact on the pull request process. Empirical Softw. Engg., 28(6).
Zhang, Y., Wu, Y., Chen, T., Wang, T., Liu, H., and Wang, H. (2024). How do developers talk about github actions? evidence from online software development community. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, ICSE ’24, New York, NY, USA. Association for Computing Machinery.
Publicado
30/09/2024
Como Citar
FREITAS, Matheus B.; ROCHA, Lincoln S..
GASH – The GitHub Actions Smell Hunter. In: WORKSHOP DE VISUALIZAÇÃO, EVOLUÇÃO E MANUTENÇÃO DE SOFTWARE (VEM), 12. , 2024, Curitiba/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 103-112.
DOI: https://doi.org/10.5753/vem.2024.3911.
