Tag
sha-pinning
Safeguard articles tagged "sha-pinning" — guides, analysis, and best practices for software supply chain and application security.
3 articles
DevSecOps
Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)
In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.
May 21, 202610 min read
Engineering
Securing GitHub Actions Reusable Workflows at Scale
Reusable workflows centralize CI logic — and centralize compromise. Pinning, secrets scoping, org policy, and the review process that keeps one bad merge from owning 400 repos.
Sep 14, 20256 min read
Guides
How to Vet a GitHub Action Before You Trust It with Secrets
Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.
Jun 22, 20256 min read