Safeguard
Tag

github-actions

Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.

63 articles

Supply Chain Security

Software supply chain attacks in 2026: what's actually changed

A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.

Jul 8, 20266 min read
Tutorials

How to Add Security Scanning to Your CI/CD Pipeline

Wire dependency, container, and secret scanning into GitHub Actions or GitLab CI as a required check that blocks risky merges — with working workflow files and sensible thresholds.

Jul 3, 20266 min read
DevSecOps

GitHub Actions Security Hardening: A Practical Checklist

GitHub Actions runs arbitrary code with access to your secrets and repos. A hands-on hardening guide — SHA pinning, least-privilege GITHUB_TOKEN, OIDC, and runner protection — with copy-paste YAML.

Jul 2, 20265 min read
DevSecOps

GitHub Actions Supply Chain Security: A 2026 Hardening Guide

GitHub Actions runs with your secrets and write access to your repo. This guide maps the real attack surface — from the tj-actions compromise to script injection — and gives you copy-paste hardening, OIDC, and scanning.

Jul 1, 20266 min read
Supply Chain Attacks

Megalodon: 5,561 GitHub Repos Backdoored via Injected Actions Workflows (May 2026)

In a six-hour window on May 18, 2026, an automated campaign pushed malicious GitHub Actions workflows into 5,561 repositories using credentials harvested by infostealers. We break down the attack chain, the workflow_dispatch dormancy trick, and CI detection.

May 23, 202612 min read
Application Security

10 GitHub security best practices

10 concrete GitHub security controls—2FA, push protection, branch rules, pinned Actions, SBOM—with real CVEs and dates security teams can act on today.

May 23, 20267 min read
DevSecOps

Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)

In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.

May 21, 202610 min read
DevSecOps

Building a secure CI/CD pipeline with GitHub Actions

The tj-actions breach exposed secrets in 23,000 repos. Here's how pwn requests, unpinned tags, and self-hosted runners put your CI/CD at risk.

May 18, 20267 min read
Software Supply Chain Security

TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)

On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.

May 15, 202611 min read
DevSecOps

npm Trusted Publishing walkthrough: retiring long-lived publish tokens

npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.

May 14, 20269 min read
Supply Chain Attacks

TanStack and the Mini Shai-Hulud npm Worm (May 2026): Anatomy of a CI-Native Supply Chain Attack

On 11-12 May 2026, the TeamPCP-linked Mini Shai-Hulud worm published 84 malicious artifacts across 42 TanStack npm packages in six minutes, then spread to 160+ packages by abusing GitHub Actions OIDC tokens and CI cache poisoning.

May 13, 202612 min read
DevSecOps

npm provenance attestations walkthrough for 2026

npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.

May 13, 20269 min read
github-actions (Page 2) — Safeguard Blog