GitHub Actions Vulnerable to Supply Chain Attacks as 87% of Organizations Run Exploitable Code, Datadog Finds
Key Takeaways
- ▸87% of organizations have at least one exploitable vulnerability affecting 40% of deployed services, with Java leading at 59% vulnerability rate
- ▸GitHub Actions and similar CI/CD platforms remain vulnerable to supply chain attacks when organizations fail to pin actions by hash instead of defaulting to latest versions
- ▸Dependencies are increasingly outdated, with median libraries running 278 days behind latest versions, up from 215 days previously
Summary
Datadog's 2026 State of DevSecOps report reveals widespread security vulnerabilities across software development pipelines, with 87% of organizations running at least one known exploitable vulnerability in deployed services. The research, which analyzed tens of thousands of applications, found that 40% of all services contain exploitable flaws, with Java services leading at 59%, followed by .NET at 47% and Rust at 40%. The report highlights a critical tension between development velocity and security risk as organizations adopt AI-assisted coding and cloud-native environments.
A major concern identified in the report is the vulnerability of CI/CD environments to supply chain attacks, particularly platforms like GitHub Actions. Organizations frequently fail to pin actions by hash, leaving them exposed to unknowingly adopting malicious new releases. The research found that dependencies are significantly outdated, with the median library running 278 days behind its latest major version—up from 215 days in the previous year. Java and Ruby dependencies lag the furthest behind at 492 and 357 days respectively.
The report establishes a clear correlation between deployment frequency and security posture. Services deployed less than once per month have dependencies that are 70% more outdated than those deployed daily (295 days vs. 172 days behind). Additionally, 10% of services globally run on end-of-life (EOL) versions of programming languages or runtime environments, with these services showing a 50% exploitable vulnerability rate compared to 37% for services on supported versions. The research emphasizes that while newer libraries have fewer vulnerabilities (1.3 on average for 2025 releases vs. 3.8 for 2023), organizations struggle to balance the need for rapid updates against the risk of adopting compromised packages.
- Services deployed daily have dependencies 70% more current than those deployed less than monthly, showing deployment frequency directly impacts security posture
- 10% of services run on end-of-life language versions, which show 50% exploitable vulnerability rates versus 37% for supported versions
Editorial Opinion
This report underscores a dangerous complacency in software supply chain security that threatens the entire DevOps ecosystem. The finding that GitHub Actions environments are widely vulnerable to supply chain attacks through unpinned dependencies is particularly alarming given the platform's central role in modern development workflows. While the correlation between deployment frequency and security posture validates DevOps best practices, the year-over-year increase in dependency lag suggests organizations are losing ground despite increased awareness of supply chain risks.
