Luciana Ledesma’s Post

𝗔𝗹𝗹𝗼𝘄𝗲𝗱 𝗱𝗼𝗲𝘀 𝗻𝗼𝘁 𝗺𝗲𝗮𝗻 𝗲𝘅𝗽𝗲𝗰𝘁𝗲𝗱. In a recent AI-related supply chain incident, an automated triage bot executed commands based on a prompt injection in a GitHub issue title. What is interesting is that nothing the system did was obviously “forbidden”. Installing packages? Allowed. Running commands in CI? Allowed. Publishing packages? Allowed. But the behaviour was clearly 𝘂𝗻𝗲𝘅𝗽𝗲𝗰𝘁𝗲𝗱. A GitHub issue should not trigger dependency installation from an unknown repository. Security systems often ask: 𝗜𝘀 𝘁𝗵𝗶𝘀 𝗮𝗰𝘁𝗶𝗼𝗻 𝗮𝗹𝗹𝗼𝘄𝗲𝗱? Governance systems should ask: 𝗜𝘀 𝘁𝗵𝗶𝘀 𝗮𝗰𝘁𝗶𝗼𝗻 𝗲𝘅𝗽𝗲𝗰𝘁𝗲𝗱 𝗶𝗻 𝘁𝗵𝗶𝘀 𝗰𝗼𝗻𝘁𝗲𝘅𝘁? Allowed actions can still produce unexpected behaviour. And unexpected behaviour is where risk usually begins. https://lnkd.in/dECd-BJs

🛡️ After the recent Trivy compromises, I lost trust in running the trivy binary directly in CI. But Trivy's vulnerability scanning for Docker images is too valuable to abandon. So I built a sandboxed replacement. https://lnkd.in/dqZUMguv The concern with running any unverified third-party tool in CI is that a backdoor could steal secrets available to the build, tamper with your build, or both. The workflow's GitHub token with write permissions is one of the most sensitive assets at risk since it can be used to inject malicious code directly into your repository. The mitigation is straightforward: run Trivy inside a constrained Docker container with minimal permissions. Read-only filesystem, all Linux capabilities dropped, no privilege escalation, no Docker socket access. For image scans, the image is exported with docker save and mounted read-only into the container. All scan targets and output directories use the least required permissions. This way you keep Trivy's scanning value, but a compromised trivy binary can't reach your secrets or tamper your build. It's a drop-in replacement for most trivy-action use cases: filesystem scans, image scans, IaC scans, SARIF output for GitHub code scanning. #security #devsecops #supplychain #github #trivy #cicd

GitGuardian found 28.65 million new hardcoded secrets were exposed in public GitHub commits in 2025, up 34% year over year — the largest single-year increase in secrets sprawl it has recorded. https://lnkd.in/gh6KVQDi

Someone made a post about Patchd yesterday. "Copy-pasting code into a tool creates friction. Nobody will do that in a real workflow." They're right. I had thought about that before they said it. Vibe coders don't want another tab. They don't want a paste box. They definitely won't remember to run a manual scan. If security requires effort, it gets skipped. That's why the GitHub Action was already in the works. Every pull request. Every file that changed. Patchd scans it automatically and drops a comment before anything gets merged, SQL injection in routers.py, missing rate limiting on admin endpoints, best practices you'd have missed at 11pm on a Friday. No context switching. No remembering to check. No paste box. The web version was step one, it's how you try it and understand what it does. But a security tool you have to remember to run isn't really a security tool. It's a reminder you'll eventually ignore. The Action removes the friction entirely. That was always the plan. It's submitted to the GitHub Marketplace. Waiting on approval. Early access is open in the meantime @ patchd.dev #Patchd #GitHubActions #DevSecOps #BuildInPublic #StartupSecurity #VibeCode

I read a lot about supply chain attacks on (open source) projects. A lot of these dependencies come from untrusted / verified package managers fetching dependencies from Github repositories. Recently the advice has been to pin your dependencies to prevent automatic updates to (what might later turn out to be) compromised versions. These tags are slightly problematic because a tag can be redefined by an attacker with sufficient rights. So the advice becomes: pin to a commit SHA, because that can't be changed (it's based on context). However, a large platform like Github Actions does not verify the commit SHA you are pinning with that SHA _actually comes_ from the repo you are specifying, it will just as happily load in that SHA from a fork. This is highly problematic. Read in this excellent article by Aiden Vaines https://lnkd.in/edkSZ68r

When devs tell "nothing to worry, we write a lot of GitHub actions". I always remind GitHub's own GitHub action got compromised once. And the "pull_request_target" is just nightmare, consider compromised if you use a self-hosted runner with that.

Good summary. Given that GHA has become a systematic risk it would be nice for them to take feedback on this. Andrew Nesbitt has a great writeup: https://lnkd.in/gXWwT3Zb

A security scanner just became the attack vector. Trivy — used by millions to scan for vulnerabilities — was compromised and here's what happened. # Attackers exploited a misconfigured GitHub Actions workflow to steal a write-all token (default for repos before 2023) # Used that token to silently rewrite version tags to point at malicious code # Every pipeline that ran Trivy executed the attacker's code # AWS keys, SSH keys, GitHub tokens — stolen from thousands of CI runners Known unfixed gaps and not following secure by default made this attack possible 1. Git tags are mutable — anyone with write access can silently repoint them. No alerts, no history. 2. No transparency log — zero alerts to trivy, no notification to consumers 3. Write-all tokens  - Default for repos created before 2023 All the above can be configured securely but not secure by default.

Yesterday I blamed the Trivy breach on GitHub. The design of Actions is plain irresponsible today and ignores a decade of supply chain security work from other ecosystems. Here's what they would have to change to make Actions more secure by default: # Immutable tags backed by a transparency log. Git tags are mutable. Anyone with repo access can silently rewrite them. The trivy attack just rewrote 75 version tags to point at malicious code across thousands of repos. Go modules solved this in 2019. Sigstore exists. There's no excuse. # Lock down GITHUB_TOKEN by default Repos created before 2023 still run with write-all tokens. Workflows should have to declare every permission they need or they don't run. The Shai Hulud worm in late 2025 spread through repos that had never thought about this. # Fix pull_request_target or kill it It runs with full secret access on code from untrusted forks. This is impossible to use correctly. # Fix the templating to make it safe The template syntax drops user-controlled values directly into shell scripts with no escaping. the same mistake PHP made with SQL. Ultralytics, PostHog, AsyncAPI all got hit through this exact pattern in 2025. # Transitive dependency pinning Pinning to a SHA only covers the outer action. The action you pinned can reference other actions with mutable tags. There's no lockfile, no full dependency graph. You can think you're doing everything right and still get owned one level down. # A real publish gate Right now any public repo is an action. There's no distinction between an actively maintained library and something a developer pushed three years ago and forgot about. npm has `npm publish`. PyPI has an upload flow. GitHub lets you reference any random repo at any mutable tag. Folks publishing an action for use by others *should* have to do a bit more work. All the pieces to fix this exist — OIDC, Sigstore, CodeQL workflow analysis, the Marketplace. What's missing is the will to make secure the default instead of the opt-in.

I read an interesting article this evening about an automous campaign that scans GitHub actions for misconfigurations. This campaign has been so effective that companies like Microsoft and Trivy were affected. With the increase in vibe coding and the uptick in the use of GitHub to host this code we could end up seeing a lot of these repos susceptible to attack. If you don't know how to secure your codebase you had better start here - https://lnkd.in/dYr8BZYc https://lnkd.in/dwtv6dxh