Safeguard
Tag

github

Safeguard articles tagged "github" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Incident Analysis

Slack 2022-2023 Incidents: Operational Retrospective

Slack disclosed a stolen-token incident over the 2022 holidays and a related GitHub repository access event; the operational lessons apply broadly.

Oct 20, 20247 min read
Incident Analysis

The GitHub Dependabot Token Incident: Retrospective

In 2023, attackers used stolen GitHub personal access tokens to push malicious commits masquerading as Dependabot; a short-sharp incident with lasting lessons.

Aug 15, 20247 min read
Incident Analysis

Dropbox 2022: The Supply Chain Angle

Dropbox's 2022 GitHub phishing incident began with a developer-targeted CircleCI lookalike campaign; the supply chain lessons centered on CI tokens and code.

Jul 18, 20246 min read
Vulnerability Analysis

GitHub Enterprise Server CVE-2024-4985: SAML Authentication Bypass

A critical authentication bypass in GitHub Enterprise Server allowed attackers to forge SAML responses and gain administrator access to self-hosted GitHub instances without any credentials.

May 20, 20245 min read
Case Studies

GitHub's Supply Chain Security Features

A comprehensive look at GitHub's evolving supply chain security toolkit, from Dependabot to code scanning, and how these features are reshaping how developers manage dependency risk.

Mar 18, 20247 min read
DevSecOps

How to Enable Dependency Review on GitHub PRs

A step-by-step tutorial for turning on GitHub Dependency Review, enforcing license and severity policies, and getting fast feedback on every pull request.

Oct 12, 20236 min read
Open Source Security

Dependabot Security Updates: Behavior Deep Dive

A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.

Sep 12, 20235 min read
DevSecOps

GitHub Dependabot and the State of Automated Dependency Security

Dependabot has become the default for dependency updates, but its limitations highlight why automated scanning alone isn't enough for supply chain security.

Aug 15, 20235 min read
Tool Reviews

GitHub Advanced Security: CodeQL, Dependabot, and Secret Scanning in Practice

A review of GitHub Advanced Security covering CodeQL SAST, Dependabot SCA, secret scanning, and how the integrated security experience works for development teams.

Jul 8, 20236 min read
Software Supply Chain Security

Starjacking Attacks on Package Registries: Exploiting Repository Trust

Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packages to popular repositories to appear legitimate. Here is how it works.

Jul 5, 20235 min read
Incident Response

GitHub Private RSA Key Exposed in Public Repository

GitHub's accidental exposure of its private RSA SSH host key in a public repository forced an emergency rotation affecting millions of developers.

Mar 10, 20236 min read
Incident Response

GitHub RSA SSH Key Rotation Incident: Why It Mattered

GitHub rotated its RSA SSH host key after accidental exposure. A small mistake with major supply chain implications for every Git-based workflow.

Jan 25, 20236 min read
github (Page 2) — Safeguard Blog