Breaking the CI/CD chain: security risks in GitHub Actions
GitHub Actions are vital for CI/CD pipelines, but do you really know what happens under the hood?
This talk breaks down GitHub Actions concepts, explores security risks, and highlights how third-party actions can introduce vulnerabilities. We’ll walk through real-world cases of misconfigurations and vulnerabilities, including the recent tj-actions/changed-files issue, and show how malicious workflows can slip in through third-party actions.
You’ll see how different security tools, from static analysis to runtime monitoring, fit into protecting CI/CD pipelines, and learn practical steps to secure your workflows. Igor will also introduce a new tool that maps and analyzes transitive actions, helping teams understand their impact and reduce exposure.
Attendees will gain a deep understanding of GitHub Actions security, real-world case studies, practical mitigation techniques, and a tool for securing GitHub Actions.