github
Safeguard articles tagged "github" — guides, analysis, and best practices for software supply chain and application security.
34 articles
Slack 2022-2023 Incidents: Operational Retrospective
Slack disclosed a stolen-token incident over the 2022 holidays and a related GitHub repository access event; the operational lessons apply broadly.
The GitHub Dependabot Token Incident: Retrospective
In 2023, attackers used stolen GitHub personal access tokens to push malicious commits masquerading as Dependabot; a short-sharp incident with lasting lessons.
Dropbox 2022: The Supply Chain Angle
Dropbox's 2022 GitHub phishing incident began with a developer-targeted CircleCI lookalike campaign; the supply chain lessons centered on CI tokens and code.
GitHub Enterprise Server CVE-2024-4985: SAML Authentication Bypass
A critical authentication bypass in GitHub Enterprise Server allowed attackers to forge SAML responses and gain administrator access to self-hosted GitHub instances without any credentials.
GitHub's Supply Chain Security Features
A comprehensive look at GitHub's evolving supply chain security toolkit, from Dependabot to code scanning, and how these features are reshaping how developers manage dependency risk.
How to Enable Dependency Review on GitHub PRs
A step-by-step tutorial for turning on GitHub Dependency Review, enforcing license and severity policies, and getting fast feedback on every pull request.
Dependabot Security Updates: Behavior Deep Dive
A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.
GitHub Dependabot and the State of Automated Dependency Security
Dependabot has become the default for dependency updates, but its limitations highlight why automated scanning alone isn't enough for supply chain security.
GitHub Advanced Security: CodeQL, Dependabot, and Secret Scanning in Practice
A review of GitHub Advanced Security covering CodeQL SAST, Dependabot SCA, secret scanning, and how the integrated security experience works for development teams.
Starjacking Attacks on Package Registries: Exploiting Repository Trust
Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packages to popular repositories to appear legitimate. Here is how it works.
GitHub Private RSA Key Exposed in Public Repository
GitHub's accidental exposure of its private RSA SSH host key in a public repository forced an emergency rotation affecting millions of developers.
GitHub RSA SSH Key Rotation Incident: Why It Mattered
GitHub rotated its RSA SSH host key after accidental exposure. A small mistake with major supply chain implications for every Git-based workflow.