github
Safeguard articles tagged "github" — guides, analysis, and best practices for software supply chain and application security.
34 articles
Dependabot vs Renovate: Which Dependency Update Bot Should You Use?
A practical guide comparing Dependabot and Renovate for automated dependency updates, covering configuration flexibility, ecosystem support, and team workflows.
Slack GitHub Repository Theft: Stolen Tokens and the Risks of Third-Party Integrations
In December 2022, Slack disclosed that stolen employee tokens were used to access private GitHub repositories. The breach highlighted the risks of token-based authentication in CI/CD pipelines.
GitHub Repository Security Settings Guide
Configure GitHub repository security settings for branch protection, secret scanning, dependency alerts, and code scanning.
GitHub Code Signing Bypass: When the Trust Anchor Fails
A vulnerability in GitHub's commit signature verification allowed attackers to forge signed commits. The flaw undermined the integrity guarantees that code signing is supposed to provide.
Dropbox Breach: Phishing Attack Exposes 130 Private GitHub Repositories
Attackers phished Dropbox employees by impersonating CircleCI, gaining access to 130 private GitHub repos containing internal code and credentials.
Setting Up Dependency Scanning on GitHub
A hands-on walkthrough for configuring automated dependency scanning in your GitHub repositories, from Dependabot alerts to custom CI workflows.
Malicious GitHub Commits: The Overlooked Supply Chain Attack Vector
Attackers can impersonate any committer on GitHub, inject malicious code through PRs, and exploit lax review processes. Here's the risk.
The GitHub Codespaces Security Model, Examined
GitHub Codespaces has gone GA and is about to become the dev environment standard. Here is a close read of its security model — including what it does not solve.
GitHub OAuth Token Theft: The Heroku and Travis CI Breach
Attackers stole OAuth tokens from Heroku and Travis CI to access private GitHub repositories across dozens of organizations, including npm itself. The full scope of the breach took weeks to unravel.
Heroku and GitHub OAuth Token Theft: The Early Warning Signs
Stolen OAuth tokens from Heroku's integration with GitHub gave attackers access to private repositories across dozens of organizations. The breach revealed systemic weaknesses in third-party OAuth integrations.