A developer merges a pull request on a Friday afternoon. The repository is public. The commit includes an AWS access key hardcoded in a config file. Twenty minutes later, an email arrives from AWS Abuse.
By then, someone has already found the key, spun up EC2 instances in three regions, and started mining. The bill reaches $3,000 before the key is rotated.
This is not a rare scenario. It happens because nothing in the pipeline was looking for it.
Code review is manual. Humans miss things, especially on a Friday. The fix is not more careful developers. The fix is automated checks that run before code reaches production.
This article covers three of them. Not the full DevSecOps stack. Just the three controls that catch the most common problems in AWS pipelines, and how to add them to GitHub Actions this week.








