Safeguard.sh
Resources

Supply Chain Security, in plain English.

Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.

Filtering by tag:#GitHub9 articles
All (9)AI Security (294)DevSecOps (153)Open Source Security (132)Best Practices (126)Vulnerability Analysis (98)Incident Analysis (83)Industry Analysis (80)Application Security (73)Compliance (68)Container Security (64)Software Supply Chain Security (51)Vulnerability Management (47)Regulatory Compliance (42)Threat Intelligence (41)Supply Chain Attacks (36)Product (35)Cloud Security (35)SBOM (34)Supply Chain Security (25)Ransomware (21)Infrastructure Security (20)SBOM & Compliance (19)Industry Guides (19)Compliance & Regulations (18)Emerging Technology (17)Case Studies (17)Risk Management (16)Tool Reviews (16)Incident Response (15)Security Strategy (13)Dependency Security (11)Web Security (11)Kubernetes Security (9)Company (8)Architecture (8)Industry Trends (7)Secure Development (7)AppSec (7)How-To Guide (7)Zero-Day Exploits (7)Network Security (7)Dependency Management (7)Data Breach (7)Research (6)Tutorials (6)Security Operations (6)Organizational Security (6)Developer Security (6)Open Source (5)Breach Analysis (5)Code Security (5)Product Launch (4)Offensive Security (4)Tool Comparisons (4)Build Security (3)Vulnerability Research (3)Compliance & Frameworks (3)Regional Security (3)Policy & Compliance (3)SBOM Standards (3)Software Supply Chain (3)Analysis (3)Startup Security (3)Mobile Security (3)Hardware Security (3)Security (2)Zero-Day Analysis (2)Industry News (2)Release (2)SBOM and Compliance (2)Security Management (2)Threat Actors (2)API Security (2)Security Architecture (2)Security Culture (2)Social Engineering (2)DeFi Security (2)Cryptocurrency Security (2)Technical (1)Healthcare (1)Events (1)Frameworks (1)Product Update (1)Standards (1)Engineering (1)Language Security (1)Emerging Threats (1)Privacy (1)Lifecycle Management (1)Career Development (1)Tools & Platforms (1)Threat Modeling (1)Browser Security (1)Threat Analysis (1)Business Continuity (1)Runtime Security (1)Governance (1)Healthcare Security (1)Credential Attacks (1)Identity Security (1)PKI Security (1)Architecture Security (1)Nation-State Threats (1)Tools & Techniques (1)Privacy & Security (1)

Articles

RSS feed
Vulnerability Analysis

GitHub Enterprise Server CVE-2024-4985: SAML Authentication Bypass

A critical authentication bypass in GitHub Enterprise Server allowed attackers to forge SAML responses and gain administrator access to self-hosted GitHub instances without any credentials.

May 20, 20245 min read
Open Source Security

Dependabot Security Updates: Behavior Deep Dive

A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.

Sep 12, 20235 min read
Software Supply Chain Security

Starjacking Attacks on Package Registries: Exploiting Repository Trust

Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packages to popular repositories to appear legitimate. Here is how it works.

Jul 5, 20235 min read
Incident Response

GitHub Private RSA Key Exposed in Public Repository

GitHub's accidental exposure of its private RSA SSH host key in a public repository forced an emergency rotation affecting millions of developers.

Mar 10, 20236 min read
Incident Response

GitHub RSA SSH Key Rotation Incident: Why It Mattered

GitHub rotated its RSA SSH host key after accidental exposure. A small mistake with major supply chain implications for every Git-based workflow.

Jan 25, 20236 min read
Incident Response

Dropbox Breach: Phishing Attack Exposes 130 Private GitHub Repositories

Attackers phished Dropbox employees by impersonating CircleCI, gaining access to 130 private GitHub repos containing internal code and credentials.

Nov 2, 20226 min read
Supply Chain Attacks

Malicious GitHub Commits: The Overlooked Supply Chain Attack Vector

Attackers can impersonate any committer on GitHub, inject malicious code through PRs, and exploit lax review processes. Here's the risk.

Aug 20, 20227 min read
Incident Response

GitHub OAuth Token Theft: The Heroku and Travis CI Breach

Attackers stole OAuth tokens from Heroku and Travis CI to access private GitHub repositories across dozens of organizations, including npm itself. The full scope of the breach took weeks to unravel.

Apr 15, 20225 min read
Incident Response

Heroku and GitHub OAuth Token Theft: The Early Warning Signs

Stolen OAuth tokens from Heroku's integration with GitHub gave attackers access to private repositories across dozens of organizations. The breach revealed systemic weaknesses in third-party OAuth integrations.

Feb 25, 20225 min read

Stay informed

Weekly insights on software supply chain security, delivered to your inbox.

Blog | Safeguard.sh — Software Supply Chain Security Insights