Cloud & CI/CD security meetup

Doors open, registration, drinks & snacks

Breaking the CI/CD chain: security risks in GitHub Actions

GitHub Actions are vital for CI/CD pipelines, but do you really know what happens under the hood?

This talk breaks down GitHub Actions concepts, explores security risks, and highlights how third-party actions can introduce vulnerabilities. We’ll walk through real-world cases of misconfigurations and vulnerabilities, including the recent tj-actions/changed-files issue, and show how malicious workflows can slip in through third-party actions.

You’ll see how different security tools, from static analysis to runtime monitoring, fit into protecting CI/CD pipelines, and learn practical steps to secure your workflows. Igor will also introduce a new tool that maps and analyzes transitive actions, helping teams understand their impact and reduce exposure.

Attendees will gain a deep understanding of GitHub Actions security, real-world case studies, practical mitigation techniques, and a tool for securing GitHub Actions.

‍

Coffee, beer, networking

‍

DevOps gone rogue: hidden threats in CI pipelines

Supply chain attacks are now widely analyzed and discussed by the entire community, but they are most often considered in the context of external attacks. But what might happen when we combine this technique with an insider attack scenario?

In a situation where remote employment has become common practice, attackers are increasingly deciding to impersonate employees. How, as a "typical programmer" with no access to production, can I carry out an attack without arousing the suspicion of other developers or the security team?

During the presentation, I will demonstrate how to leverage technical debt in the CI/CD configuration to take over the production environment (Docker/Kubernetes), bypassing existing threat detection systems.

Coffee, beer, networking

‍

Panel Discussion on Cloud Security Issues and Challenges

Afterparty

‍

‍

‍