Safeguard
Tag

github

Safeguard articles tagged "github" — guides, analysis, and best practices for software supply chain and application security.

34 articles

Tool Comparisons

Dependabot vs Renovate: Which Dependency Update Bot Should You Use?

A practical guide comparing Dependabot and Renovate for automated dependency updates, covering configuration flexibility, ecosystem support, and team workflows.

Jan 25, 20236 min read
Incident Analysis

Slack GitHub Repository Theft: Stolen Tokens and the Risks of Third-Party Integrations

In December 2022, Slack disclosed that stolen employee tokens were used to access private GitHub repositories. The breach highlighted the risks of token-based authentication in CI/CD pipelines.

Jan 4, 20236 min read
DevSecOps

GitHub Repository Security Settings Guide

Configure GitHub repository security settings for branch protection, secret scanning, dependency alerts, and code scanning.

Dec 12, 20225 min read
Vulnerability Analysis

GitHub Code Signing Bypass: When the Trust Anchor Fails

A vulnerability in GitHub's commit signature verification allowed attackers to forge signed commits. The flaw undermined the integrity guarantees that code signing is supposed to provide.

Dec 5, 20226 min read
Incident Response

Dropbox Breach: Phishing Attack Exposes 130 Private GitHub Repositories

Attackers phished Dropbox employees by impersonating CircleCI, gaining access to 130 private GitHub repos containing internal code and credentials.

Nov 2, 20226 min read
How-To Guide

Setting Up Dependency Scanning on GitHub

A hands-on walkthrough for configuring automated dependency scanning in your GitHub repositories, from Dependabot alerts to custom CI workflows.

Aug 22, 20226 min read
Supply Chain Attacks

Malicious GitHub Commits: The Overlooked Supply Chain Attack Vector

Attackers can impersonate any committer on GitHub, inject malicious code through PRs, and exploit lax review processes. Here's the risk.

Aug 20, 20227 min read
DevSecOps

The GitHub Codespaces Security Model, Examined

GitHub Codespaces has gone GA and is about to become the dev environment standard. Here is a close read of its security model — including what it does not solve.

Jun 22, 20227 min read
Incident Response

GitHub OAuth Token Theft: The Heroku and Travis CI Breach

Attackers stole OAuth tokens from Heroku and Travis CI to access private GitHub repositories across dozens of organizations, including npm itself. The full scope of the breach took weeks to unravel.

Apr 15, 20225 min read
Incident Response

Heroku and GitHub OAuth Token Theft: The Early Warning Signs

Stolen OAuth tokens from Heroku's integration with GitHub gave attackers access to private repositories across dozens of organizations. The breach revealed systemic weaknesses in third-party OAuth integrations.

Feb 25, 20225 min read
github (Page 3) — Safeguard Blog