github-actions
Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.
63 articles
Software supply chain attacks in 2026: what's actually changed
A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.
How to Add Security Scanning to Your CI/CD Pipeline
Wire dependency, container, and secret scanning into GitHub Actions or GitLab CI as a required check that blocks risky merges — with working workflow files and sensible thresholds.
GitHub Actions Security Hardening: A Practical Checklist
GitHub Actions runs arbitrary code with access to your secrets and repos. A hands-on hardening guide — SHA pinning, least-privilege GITHUB_TOKEN, OIDC, and runner protection — with copy-paste YAML.
GitHub Actions Supply Chain Security: A 2026 Hardening Guide
GitHub Actions runs with your secrets and write access to your repo. This guide maps the real attack surface — from the tj-actions compromise to script injection — and gives you copy-paste hardening, OIDC, and scanning.
Megalodon: 5,561 GitHub Repos Backdoored via Injected Actions Workflows (May 2026)
In a six-hour window on May 18, 2026, an automated campaign pushed malicious GitHub Actions workflows into 5,561 repositories using credentials harvested by infostealers. We break down the attack chain, the workflow_dispatch dormancy trick, and CI detection.
10 GitHub security best practices
10 concrete GitHub security controls—2FA, push protection, branch rules, pinned Actions, SBOM—with real CVEs and dates security teams can act on today.
Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)
In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.
Building a secure CI/CD pipeline with GitHub Actions
The tj-actions breach exposed secrets in 23,000 repos. Here's how pwn requests, unpinned tags, and self-hosted runners put your CI/CD at risk.
TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)
On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.
npm Trusted Publishing walkthrough: retiring long-lived publish tokens
npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.
TanStack and the Mini Shai-Hulud npm Worm (May 2026): Anatomy of a CI-Native Supply Chain Attack
On 11-12 May 2026, the TeamPCP-linked Mini Shai-Hulud worm published 84 malicious artifacts across 42 TanStack npm packages in six minutes, then spread to 160+ packages by abusing GitHub Actions OIDC tokens and CI cache poisoning.
npm provenance attestations walkthrough for 2026
npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.