Safeguard
Tag

github-actions-security

Safeguard articles tagged "github-actions-security" — guides, analysis, and best practices for software supply chain and application security.

7 articles

Software Supply Chain Security

Mini Shai-Hulud hits TanStack npm packages

TeamPCP's Mini Shai-Hulud worm hijacked 42 TanStack npm packages via stolen GitHub OIDC tokens, spreading to 169 packages with valid SLSA attestations.

Jul 4, 20267 min read
Software Supply Chain Security

tj-actions/changed-files GitHub Action compromise

How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.

Jul 3, 20266 min read
Software Supply Chain Security

The Ultralytics AI pwn request supply chain attack

How a malicious pull request, a poisoned GitHub Actions cache, and a stored PyPI token turned the Ultralytics YOLO package into a cryptominer.

Jul 3, 20267 min read
Product

Pull-request-level dependency scanning on GitHub

Socket.dev popularized flagging risky dependencies inside GitHub pull requests. Here's how that scanning works, where it falls short, and what closes the gaps.

May 7, 20267 min read
Vulnerability Analysis

CI/CD pipeline supply chain attacks explained

A breakdown of how CI/CD supply chain attacks work, from SolarWinds to the 2025 tj-actions/changed-files breach, and how to detect and stop them.

Dec 7, 20256 min read
Buyer's Guides

Best GitHub Actions security scanning tools

A practical, no-hype comparison of GitHub Actions security tools — Zizmor, StepSecurity, Scorecard, Checkov, GitGuardian, and Legit Security — plus what to evaluate before you buy.

Nov 15, 20257 min read
Cloud Security

CI/CD pipeline security vulnerability trends

CI/CD pipelines now hold the keys attackers want most. Here's what tj-actions, Ultralytics, and Jenkins CVE-2024-23897 reveal about the trend.

Nov 3, 20257 min read
github-actions-security — Safeguard Blog