Safeguard
Tag

github-actions

Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.

63 articles

DevSecOps

How to set up SAST scanning in a GitHub Actions pipeline

A step-by-step guide to setting up SAST scanning in GitHub Actions with CodeQL and Semgrep, including config, gating, and troubleshooting tips.

Feb 18, 20267 min read
Tutorials

Getting Started: Safeguard GitHub Actions Gate

Set up the Safeguard GitHub Action to block risky pull requests on dependency vulnerabilities, license violations, and policy breaches before merge.

Feb 14, 20267 min read
DevSecOps

GitHub Actions: SHA-Pin Tags or Get Burned

Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.

Jan 24, 20266 min read
Cloud Security

Setting up OIDC federation between GitHub Actions and AWS...

A step-by-step guide to setting up AWS OIDC GitHub Actions federation, from IAM provider setup to scoped trust policies, so CI/CD pipelines never need long-lived AWS keys.

Jan 17, 20267 min read
Incident Analysis

tj-actions/changed-files Compromise: What Happened

A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, and what repos need to change.

Jan 14, 20267 min read
DevSecOps

Using GCP Workload Identity Federation for keyless CI/CD ...

GCP Workload Identity Federation lets CI/CD pipelines authenticate with short-lived tokens instead of service account keys. Here's how it works and how to migrate.

Jan 12, 20267 min read
Incident Analysis

Ultralytics PyPI Compromise: Dec 2024 Post-Mortem

How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering teams should actually change.

Jan 9, 20267 min read
DevSecOps

Using OCI dynamic groups to authenticate CI/CD pipelines

A practical guide to eliminating static credentials in CI/CD using OCI dynamic groups, matching rules, and OCI DevOps service authentication instead of API keys.

Jan 7, 20268 min read
DevSecOps

The tj-actions/changed-files GitHub Action Supply Chain C...

CVE-2025-30066 exposed how a compromised tj-actions/changed-files GitHub Action leaked CI/CD secrets into build logs across 23,000+ repos. Timeline, impact, and fixes.

Dec 1, 20258 min read
Cloud Security

GitHub Actions workflow injection vulnerabilities

How GitHub Actions workflow injection lets attackers hijack CI pipelines via untrusted input, real CVEs like CVE-2025-30066, and how to detect it.

Nov 3, 20257 min read
Guides

How to Set Up Dependency Review on GitHub Pull Requests

GitHub's dependency-review-action can block PRs that introduce vulnerable or badly-licensed packages. Here is the exact configuration, plus the cases it silently misses.

Sep 17, 20255 min read
Engineering

Securing GitHub Actions Reusable Workflows at Scale

Reusable workflows centralize CI logic — and centralize compromise. Pinning, secrets scoping, org policy, and the review process that keeps one bad merge from owning 400 repos.

Sep 14, 20256 min read
github-actions (Page 4) — Safeguard Blog