Security Research Blog
Sharing knowledge because cyber security is a team sport.
Loading articles...
A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident
26 min read
The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline.
The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
16 min read
Learn how a novel attack vector in GitHub Actions allows attackers to distribute malware across repositories using a technique that exploits the actions dependency tree and puts countless open-source projects and internal repositories at risk. Get an in-depth look at the attack vectors, technical details and a real-world demo in this blog post highlighting our latest research.
Abusing Repository Webhooks to Access Internal CI/CD Systems at Scale
15 min read
On the surface, repository webhooks seem secure. But we recently tested these webhooks to identify security issues and discovered that anyone on the internet can overcome the IP restriction, access data and execute code on internal CI/CD pipelines at scale.
How to Secure Your Open Source Project - A Quick Guide for Developers
9 min read
This blog is designed to provide developers with a practical, straightforward guide to secure their open source (OS) projects. We'll cover the most important aspects of securing OS projects, and provide practical guidelines using GitHub as the source control management system (SCM), and GitHub Actions as the CI/CD solution.
Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions
7 min read
Attackers are always on the lookout to gain access to credentials, which are a critical asset to protect and are widespread throughout the organization. This is highly relevant in CI/CD systems, which are a vital part of the engineering ecosystem.
CI/CD Goat - A Deliberately Vulnerable CI/CD Environment
3 min read
Today we are excited to announce the launch of "CI/CD Goat" - a deliberately vulnerable CI/CD environment which allows engineers, security practitioners, and curious hackers to learn and experience the major CI/CD security risks out there.
How to Secure Jenkins' Default Build Authorization Configuration
11 min read
The default build authorization configuration in Jenkins — controlling the permissions allocated to pipelines — is insecure and is often left unmodified in production environments. To address this issue, you should use the "Authorize Project" and the "Role-Based Authorization Strategy" plugins to define secure build authorization configurations.