Showing 0 Items
We reveal how baseline-driven monitoring caught one of 2025's most consequential CI/CD supply chain attacks, exposing the vulnerability of 23,000+ repositories including those from GitHub, Meta, and Microsoft.
Explore how to use GitHub Actions secrets securely by restricting organizational secrets, using secrets exclusively for sensitive data, and implementing least privileged access.
How threat actors exploited AWS CodeBuild pipelines by stealing secrets from CI/CD memory—and the proactive defenses organizations can deploy to detect, respond to, and prevent such attacks.
Popular Python Package num2words v0.5.15 Published Without Repository Tag, Linked to Known Threat Actor
npm 'is' package versions 3.3.1 and 5.0.0 compromised - critical utility with millions of weekly downloads falls victim to expanding phishing campaign
Unlike GitHub Copilot's built-in network firewall, anthropics/claude-code-action GitHub action operates in GitHub Actions without network restrictions by default. Complete guide to implementing Claude Code in GitHub Actions with runtime security monitoring using Harden-Runner.
AI coding agents like GitHub Copilot are powerful—but they can be a black box in CI/CD. Copilot’s firewall blocks unauthorized network calls, but it doesn’t show what processes run, which APIs are hit, or what packages get installed. StepSecurity Harden-Runner closes that gap with runtime visibility into every action Copilot takes—delivering true defense-in-depth for secure AI-driven development
As organizations integrate AI coding agents into their development pipelines, new security considerations emerge. While these tools accelerate development, they require thoughtful security approaches to protect against novel attack vectors like Rules File Backdoor attacks and GITHUB_TOKEN compromise.
