Spotting CI/CD misconfigurations before the bots do: Securing GitHub Actions with Datadog IaC Security

In March 2026, a GitHub account called hackerbot-claw, describing itself as an “autonomous security research agent powered by claude-opus-4-5,” began systematically targeting open source repositories—including one from Datadog. Over a week, it opened many pull requests designed to exploit misconfigurations in GitHub Actions workflows.

The attacks demonstrated something the security community had long anticipated: AI agents autonomously hunting for and exploiting CI/CD vulnerabilities at scale. CI/CD misconfigurations have long been exploited in the wild, from Trivy to Ultralytics. But the hackerbot-claw campaign showed that AI agents are now capable of finding and exploiting these same flaws.

The good news: GitHub Actions misconfigurations can be caught in the diff, before a PR ever merges. Datadog IaC Security scans workflows, surfaces findings as inline comments, and can block merge until issues are resolved.

In this post, we’ll cover:

How GitHub Actions workflows become an attack surfaceThe benefits of scanning workflows before they’re mergedWhat security looks like with Datadog IaC SecurityHow IaC Security coverage expanded after hackerbot-clawBest practices for securing your GitHub Actions workflows

Spotting CI/CD misconfigurations before the bots do: Securing GitHub Actions with Datadog IaC Security | Datadog

Related reading

CI/CD security: How to secure your GitHub ecosystem | Datadog

When an AI agent came knocking: Catching malicious contributions in Datadog’s…

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD…

Introducing the Datadog Code Security MCP | Datadog

AI coding agents breached: attackers targeted credentials, not models |…

One command turns any open-source repo into an AI agent backdoor. OpenClaw…