oidc
Safeguard articles tagged "oidc" — guides, analysis, and best practices for software supply chain and application security.
32 articles
Securing Secrets and Environment Variables in GitHub Actions
A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.
Hardening a Java build pipeline in GitHub Actions
23,000+ repos leaked CI secrets when tj-actions/changed-files was hijacked in March 2025. Here's how to pin, OIDC, and sign a Java pipeline against that.
CI/CD pipeline hardening against supply chain attacks
23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.
OIDC vs Static Credentials in CI/CD (2026 Guide)
Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.
Securing CI/CD Secrets: OIDC, Scanning, and Short-Lived Credentials
CI/CD secrets are the crown jewels attackers go after — the CircleCI breach forced every customer to rotate everything. This guide covers secret sprawl, scanning, OIDC federation, and killing long-lived credentials for good.
Azure Pipelines Security: Stop Treating YAML as Config
An Azure Pipeline is a program with attacker-controllable input, not a config file. This guide covers macro injection, task and template pinning, environment approvals, workload identity federation, and adding scanning.
CircleCI Security Best Practices After the 2023 Breach
The January 2023 CircleCI incident forced every customer to rotate every secret. Here is what it taught us — plus hardened config.yml examples for orb pinning, restricted contexts, OIDC, and adding scanning.
GitLab CI Security Best Practices for 2026
GitLab CI hands every job a CI_JOB_TOKEN, a runner, and your variables. This guide covers the real attack surface — remote includes, token scope, privileged runners — with hardened .gitlab-ci.yml examples, OIDC, and scanning.
GitHub Actions Supply Chain Security: A 2026 Hardening Guide
GitHub Actions runs with your secrets and write access to your repo. This guide maps the real attack surface — from the tj-actions compromise to script injection — and gives you copy-paste hardening, OIDC, and scanning.
After the Worms: A CI/CD Security Playbook for Developer Credentials in 2026
The 2026 npm and PyPI worms proved that a trusted release pipeline is a credential vault. Here is what IronWorm and Mini Shai-Hulud actually exploited, and how to harden CI/CD before the next one lands.
Trusted Publishing for npm: Why Only 14% of Compromised P...
Only 14% of packages compromised since npm launched Trusted Publishing use it. Here's how OIDC-based publishing works, why adoption lags, and what still gets missed.
TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)
On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.