github-actions
Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.
63 articles
How to set up SAST scanning in a GitHub Actions pipeline
A step-by-step guide to setting up SAST scanning in GitHub Actions with CodeQL and Semgrep, including config, gating, and troubleshooting tips.
Getting Started: Safeguard GitHub Actions Gate
Set up the Safeguard GitHub Action to block risky pull requests on dependency vulnerabilities, license violations, and policy breaches before merge.
GitHub Actions: SHA-Pin Tags or Get Burned
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
Setting up OIDC federation between GitHub Actions and AWS...
A step-by-step guide to setting up AWS OIDC GitHub Actions federation, from IAM provider setup to scoped trust policies, so CI/CD pipelines never need long-lived AWS keys.
tj-actions/changed-files Compromise: What Happened
A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, and what repos need to change.
Using GCP Workload Identity Federation for keyless CI/CD ...
GCP Workload Identity Federation lets CI/CD pipelines authenticate with short-lived tokens instead of service account keys. Here's how it works and how to migrate.
Ultralytics PyPI Compromise: Dec 2024 Post-Mortem
How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering teams should actually change.
Using OCI dynamic groups to authenticate CI/CD pipelines
A practical guide to eliminating static credentials in CI/CD using OCI dynamic groups, matching rules, and OCI DevOps service authentication instead of API keys.
The tj-actions/changed-files GitHub Action Supply Chain C...
CVE-2025-30066 exposed how a compromised tj-actions/changed-files GitHub Action leaked CI/CD secrets into build logs across 23,000+ repos. Timeline, impact, and fixes.
GitHub Actions workflow injection vulnerabilities
How GitHub Actions workflow injection lets attackers hijack CI pipelines via untrusted input, real CVEs like CVE-2025-30066, and how to detect it.
How to Set Up Dependency Review on GitHub Pull Requests
GitHub's dependency-review-action can block PRs that introduce vulnerable or badly-licensed packages. Here is the exact configuration, plus the cases it silently misses.
Securing GitHub Actions Reusable Workflows at Scale
Reusable workflows centralize CI logic — and centralize compromise. Pinning, secrets scoping, org policy, and the review process that keeps one bad merge from owning 400 repos.