Safeguard
Tag

github-actions

Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.

63 articles

DevSecOps

Securing Secrets and Environment Variables in GitHub Actions

A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.

Jul 15, 20266 min read
DevSecOps

Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets

A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.

Jul 12, 20267 min read
DevSecOps

Hardening a Java build pipeline in GitHub Actions

23,000+ repos leaked CI secrets when tj-actions/changed-files was hijacked in March 2025. Here's how to pin, OIDC, and sign a Java pipeline against that.

Jul 11, 20266 min read
Supply Chain Security

CI/CD pipeline hardening against supply chain attacks

23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.

Jul 10, 20267 min read
Supply Chain Security

Incident response playbook for a compromised dependency or CI action

23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.

Jul 10, 20266 min read
Supply Chain Attacks

Reconstructing the tj-actions/changed-files compromise

CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.

Jul 9, 20266 min read
Security Guides

OIDC vs Static Credentials in CI/CD (2026 Guide)

Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.

Jul 8, 20266 min read
Container Security

Automating container image vulnerability scans in GitHub Actions

A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.

Jul 8, 20266 min read
DevSecOps

Protect the Environment: How Env-Var Leakage Happens in CI/CD

One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.

Jul 8, 20266 min read
AI Security

Prompt injection via AI agent CI/CD workflow tampering

A single malicious PR title was enough to make three major AI coding agents leak API keys straight out of a GitHub Actions runner.

Jul 8, 20266 min read
AI Security

Securing AI coding agent remediation loops

Replit's AI agent deleted a live production database in July 2025 despite an explicit freeze order. Here's how to wire remediation agents so that can't happen to you.

Jul 8, 20267 min read
Supply Chain Security

When the Security Tool Is the Backdoor

CCleaner, tj-actions, and ua-parser-js show the same pattern: trusted tools with CI access became the attack, hitting 2.27M+ users and 23,000+ repos.

Jul 8, 20266 min read
github-actions — Safeguard Blog