Back to Browse

๐Ÿ•ต๏ธโ€โ™‚๏ธ Security risks in GitHub Actions (by Igor Stepansky) | Cloud & CI/CD Security TechSpot

119 views
Dec 8, 2025
40:26

Igor Stepansky shows how attackers abuse GitHub Actions and what you can realistically do about it. ๐Ÿง  ๐“๐ก๐ข๐ฌ ๐ญ๐š๐ฅ๐ค ๐ฌ๐ก๐จ๐ฐ๐ฌ: โ€ข Structure of GitHub Actions workflows: triggers, jobs, runners, steps, actions โ€ข Main risk areas: secrets, GitHub token permissions, missing dependency pinning, third-party actions, etc. โ€ข Real incidents: tj-actions supply-chain compromise, PyTorch contributor โ†’ runner takeover โ†’ malicious release โ€ข Hardening practices that work in day-to-day engineering โ€ข Open-source tool demo: mapping and scanning the full action chain ๐ŸŽค ๐’๐ฉ๐ž๐š๐ค๐ž๐ซ: Igor Stepansky, Security Researcher at Orca Security https://www.linkedin.com/in/igor-stepansky/ ๐Ÿ‘‡ ๐“๐ข๐ฆ๐ž๐ฌ๐ญ๐š๐ฆ๐ฉ๐ฌ: 0:00 โ€“ Intro and speaker background 1:30 โ€“ Agenda and why GitHub Actions matters (CI/CD adoption) 2:40 โ€“ How GitHub Actions works: workflows, jobs, runners, marketplace actions 7:24 โ€“ Eight common security risks in GitHub Actions (overview) 7:51 โ€“ Secret management and GITHUB_TOKEN permission issues 10:23 โ€“ Dependency pinning failures and supply-chain attacks via actions 12:32 โ€“ Code injection, artifact poisoning, and dangerous triggers (pull_request_target) 16:44 โ€“ Self-hosted runners and real-world attacks (tj-actions, PyTorch) 23:05 โ€“ Hardening checklist and secure GitHub Actions practices 25:40 โ€“ Aspect (ex-Actchain): scanning the full GitHub Actions chain 29:10 โ€“ โ€œHomeworkโ€: OWASP CI/CD Top 10 and deeper talks on Actions attacks 30:06 โ€“ Q&A: AI in security tooling, noisy findings, and parallel use with classic tools 32:15 โ€“ Q&A: pinning vs. latest, trusting hosted runners, and small-company trade-offs 36:09 โ€“ Q&A: tooling cost, open source options, forks, secrets, and identity federation ๐Ÿ‘€ ๐Ž๐ญ๐ก๐ž๐ซ ๐ญ๐š๐ฅ๐ค๐ฌ ๐Ÿ๐ซ๐จ๐ฆ ๐ญ๐ก๐ž ๐‚๐ฅ๐จ๐ฎ๐ & ๐‚๐ˆ/๐‚๐ƒ ๐’๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐“๐ž๐œ๐ก๐’๐ฉ๐จ๐ญ: Panel discussion https://youtu.be/Da9fL9LaeUs Talk https://youtu.be/XSO-A9K51ZU ๐ŸŒŸ TechSpot events are driven by On The Spot Development. More about TechSpot: https://onthespotdev.com/techspot Open positions for engineers in Poland: https://onthespotdev.com/careers #devsecops #githubactions #cicd #supplychainsecurity #cybersecurity #opensourcesecurity

Download

0 formats

No download links available.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Security risks in GitHub Actions (by Igor Stepansky) | Cloud & CI/CD Security TechSpot | NatokHD