Universidade Federal do Ceará
Mestrado e Doutorado em Ciências da Computação

Misconfigurations in CI/CD pipelines introduce significant risks to software projects, ranging from security vulnerabilities to inefficiencies that hinder development processes. These misconfigurations, often referred to as “configuration smells”, are recurring patterns that, while not necessarily incorrect, indicate potential threats to workflow reliability, security, and maintainability. Despite the growing adoption of CI/CD practices, the prevalence and relationships among these configuration smells remain underexplored. This work presents a comprehensive empirical study that reveals the invisible threats posed by configuration smells in GitHub Actions workflows. Our analysis of 3,996 repositories and 16,572 YAML configuration files identified 16,882 smell instances, with 99.8% of repositories exhibiting at least one smell. We investigated two main aspects: the prevalence of configuration smells and their co-occurrence patterns, highlighting security-related smells such as Hard-Coded Secrets and Untrusted Dependencies. To enable this study, we developed GASH (GitHub Actions Smell Hunter), an original static analysis tool capable of detecting nine types of configuration smells categorized into three groups: security (5), maintenance and reliability (3), and code quality (1). The tool was validated against manually labeled configurations, achieving an F1-score greater than 0.8 for most analyzed smells. Our findings reveal significant correlations between repository popularity, programming languages used, and the prevalence of certain smells. For instance, popular repositories are more likely to contain Code Replica and Hard-Coded Secrets, while Rust projects demonstrate a higher prevalence of Untrusted Dependencies. We also identified notable co-occurrence patterns, including an almost perfect correlation between Error Handling and Misconfiguration. To the best of our knowledge, this is the first empirical study to provide evidence on the prevalence of configuration smells in GitHub Actions workflows. These insights not only clarify the current state of CI/CD configurations in practice but also provide actionable guidance for researchers, developers, and security professionals to mitigate these threats.

• Prof. Dr. Lincoln Souza Rocha (MDCC/UFC) – Orientador
• Prof. Dr. Windson Viana de Carvalho (MDCC/UFC)
• Prof. Dr. Camilo Camilo Almendra (UFC)
• Prof. Dr. Bruno Góis Mateus (UFC/Quixadá)
• Prof. Dr. Nabor das Chagas Mendonça (UNIFOR)