Confirmed users
7
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 16:11, 21 March 2025
, 21 MarchAdded bullet points to the new advisory
(Added a advisory following the recent github tnj action compromise) |
(Added bullet points to the new advisory) |
||
| Line 22: | Line 22: | ||
'''Additionally''', following a recent supply-chain attack involving the '''reviewdog/action-setup''' GitHub Action (March 2025), it is strongly recommended to: | '''Additionally''', following a recent supply-chain attack involving the '''reviewdog/action-setup''' GitHub Action (March 2025), it is strongly recommended to: | ||
Always pin third-party GitHub Actions to specific, immutable commit SHAs rather than mutable tags (such as @v1 or @latest) to avoid executing malicious code introduced via compromised tags. | |||
Regularly audit workflow files and execution logs for suspicious or unexpected behavior, particularly encoded or obfuscated outputs that may indicate secret leakage. | * Always pin third-party GitHub Actions to specific, immutable commit SHAs rather than mutable tags (such as @v1 or @latest) to avoid executing malicious code introduced via compromised tags. | ||
Immediately rotate any credentials (such as Personal Access Tokens, API keys, or other secrets) if you suspect exposure. | * Regularly audit workflow files and execution logs for suspicious or unexpected behavior, particularly encoded or obfuscated outputs that may indicate secret leakage. | ||
Promptly update any third-party actions to their latest patched versions, and verify their integrity before use. | * Immediately rotate any credentials (such as Personal Access Tokens, API keys, or other secrets) if you suspect exposure. | ||
* Promptly update any third-party actions to their latest patched versions, and verify their integrity before use. | |||