github-actions-security
Safeguard articles tagged "github-actions-security" — guides, analysis, and best practices for software supply chain and application security.
7 articles
Mini Shai-Hulud hits TanStack npm packages
TeamPCP's Mini Shai-Hulud worm hijacked 42 TanStack npm packages via stolen GitHub OIDC tokens, spreading to 169 packages with valid SLSA attestations.
tj-actions/changed-files GitHub Action compromise
How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.
The Ultralytics AI pwn request supply chain attack
How a malicious pull request, a poisoned GitHub Actions cache, and a stored PyPI token turned the Ultralytics YOLO package into a cryptominer.
Pull-request-level dependency scanning on GitHub
Socket.dev popularized flagging risky dependencies inside GitHub pull requests. Here's how that scanning works, where it falls short, and what closes the gaps.
CI/CD pipeline supply chain attacks explained
A breakdown of how CI/CD supply chain attacks work, from SolarWinds to the 2025 tj-actions/changed-files breach, and how to detect and stop them.
Best GitHub Actions security scanning tools
A practical, no-hype comparison of GitHub Actions security tools — Zizmor, StepSecurity, Scorecard, Checkov, GitGuardian, and Legit Security — plus what to evaluate before you buy.
CI/CD pipeline security vulnerability trends
CI/CD pipelines now hold the keys attackers want most. Here's what tj-actions, Ultralytics, and Jenkins CVE-2024-23897 reveal about the trend.