Your CI workflow is the softest target in your repo. It runs automatically, it has a GITHUB_TOKEN...
actionsec` scans GitHub Actions supply-chain risk: 71% of repos use mutable tags (@v4) that can be compromised with full token access. For tech leaders, this closes a critical gap—workflows are the primary vector for 2025 attacks like reviewdog, making SHA-pinned actions non-negotiable.
Your CI workflow is the softest target in your repo. It runs automatically, it
has a GITHUB_TOKEN that can push commits, and it can read your secrets. The
supply-chain attacks of 2025 — reviewdog, tj-actions/changed-files — all came
in through the same unlocked door: a workflow that trusted a mutable action
tag, so when the upstream tag got repointed at malicious code, every consumer
Use Datadog IaC Security to catch GitHub Actions misconfigurations in the diff, before they reach production.
GitHub Action tags point to malicious commits, exposing CI/CD credentials; 15 second-action tags also compromised.
Been thinking about writing this one for a while. Supply chain attacks against CI/CD pipelines have...
A practical incident response and hardening playbook for GitHub supply-chain malware, developer Macs, CI/CD, Docker, branch…
We’ve all been there. You finish building a new project. It’s clean, it’s working, and it’s ready to...
A security researcher showed that a GitHub PR title, issue body, or comment could become a prompt...
