resources banner

GitHub Actions & Code Injection: Avoiding Vulnerable Configurations

categories icon Webinar

GitHub Actions & Code Injection: Avoiding Vulnerable Configurations

GitHub Actions is an increasingly popular DevOps tool mainly due to its rich marketplace and ease-of-use.

As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers deeply understand GitHub best-practices documents, these workflows are likely to have mistakes. Such mistakes are costly - and could create supply-chain risk to the application.

During the webinar, we discuss how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.

Presented by:

Alex Ilgayev
Alex Ilgayev
Head of Security Research

By submitting this form I agree to be contacted by Cycode, and receive occasional offers & product updates via phone or email in line with Cycode's Privacy Policy.

Cycode Wins the Triple Crown of Security Awards

Learn more about the common misconceptions of securing software supply chains, and how to overcome them, by requesting a demo.

vendor an innovation