Safeguard
Tag

github-actions

Safeguard articles tagged "github-actions" — guides, analysis, and best practices for software supply chain and application security.

63 articles

Product

How Snyk's GitHub Actions integration scans pull requests...

A mechanical breakdown of how Snyk's GitHub Actions integration scans pull requests: triggers, SARIF uploads, severity thresholds, and what the checks can't see.

Aug 16, 20257 min read
Concepts

What is a Build Cache Poisoning Attack

Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.

Jul 14, 20256 min read
Guides

How to Vet a GitHub Action Before You Trust It with Secrets

Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.

Jun 22, 20256 min read
Supply Chain Security

GitHub Actions Supply Chain Attack: The tj-actions/changed-files Compromise

Attackers compromised the popular tj-actions/changed-files GitHub Action, injecting credential-stealing code that affected over 23,000 repositories. A textbook software supply chain attack.

Mar 15, 20256 min read
Supply Chain Security

GitHub Actions Artifact Poisoning: A Growing Supply Chain Attack Vector

Researchers disclosed techniques to poison GitHub Actions artifacts, enabling code execution in CI/CD pipelines of downstream projects. The attack exploits trust assumptions in artifact sharing.

Aug 12, 20247 min read
Concepts

What is Repo-Jacking

Repo-jacking hijacks renamed or deleted GitHub namespaces to serve attacker code at trusted URLs. Here's how the redirect trick works and how to audit your exposure.

May 5, 20247 min read
DevSecOps

1Password Secrets Automation in CI

1Password has quietly become a credible secrets backend for CI/CD. A walkthrough of Connect, Service Accounts, and the CLI patterns that make 1Password Secrets Automation work in a build pipeline.

Apr 22, 20247 min read
Engineering

SLSA Level 3 in Practice: What It Takes

SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.

Apr 19, 20246 min read
DevSecOps

Migrating Jenkins to GitHub Actions: Security

A case study in moving a sprawling Jenkins estate to GitHub Actions without losing supply chain visibility, artifact integrity, or developer trust.

Apr 15, 20247 min read
Open Source Security

How to Publish an npm Package With Provenance

A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.

Mar 8, 20246 min read
DevSecOps

GitHub Packages Security Features: What You Get and What You Do Not

GitHub Packages integrates tightly with GitHub Actions and repositories. Its security features are convenient but have gaps that teams need to understand.

Sep 12, 20236 min read
DevSecOps

How to Pin GitHub Actions to SHAs Correctly

A hands-on guide to pinning every third-party GitHub Action to a full commit SHA, automating updates with Dependabot, and avoiding the common pitfalls.

Apr 18, 20234 min read
github-actions (Page 5) — Safeguard Blog