github-actions
Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.
63 articles
tj-actions Supply Chain Attack March 2025: A Postmortem
The tj-actions/changed-files compromise exposed CI secrets across thousands of public repositories. A postmortem on the attack chain and the GitHub Actions trust model.
SBOM GitHub Action / dropping SBOM tooling into CI workflows
Adding an SBOM GitHub Action like Anchore's is easy; making the output useful isn't. Here's what breaks in real CI pipelines and how to fix it.
Prompt Injection in CI/CD Pipelines: Attack Paths and Defenses
When LLMs review PRs, triage issues, and fix builds, every commit message becomes attacker input. The concrete attack paths through GitHub Actions and what blocks them.
GitHub Actions Immutable Actions GA: Why OCI-Backed Action Distribution Closes the tj-actions Class of Attack
GitHub's 2026 roadmap puts Immutable Actions GA at the center of Actions supply-chain hardening, publishing actions as OCI artifacts with hash-mismatch fail-fast and full composite-action visibility.
Zero Trust for CI/CD Pipelines: A Concrete Blueprint
CI/CD runners are a top attacker target. Here's a concrete zero-trust blueprint using OIDC federation, pinned action SHAs, and short-lived identities.
How to Implement SLSA Level 3 Practically
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
GitHub Actions Cache Poisoning Attack Class 2025
GitHub Actions caches were never designed as a trust boundary. In 2025 researchers turned that mismatch into a repeatable supply-chain attack pattern.
GitHub Actions Supply Chain Hardening Checklist 2026
A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.
tj-actions Compromise: One Year Retrospective
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
What is CI/CD Pipeline Poisoning
CI/CD pipeline poisoning lets attackers hijack your build automation to steal secrets and plant backdoors. Here's how it works and how to stop it.
How to Generate an SBOM with GitHub Actions (2026)
SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs, and attests a CycloneDX SBOM on every release.
How to set up SBOM generation in a CI pipeline
Learn how to build an SBOM generation CI pipeline with Syft and GitHub Actions, covering scanning, signing, storage, and verification for supply chain visibility.