This article discusses the security vulnerabilities associated with GitHub Actions, highlighting issues like secrets management failures, insufficient permission management, and dependency pinning failures. It emphasizes the importance of understanding these risks to protect CI/CD workflows from potential attacks.

Aikido Security has identified a vulnerability in GitHub Actions and GitLab CI/CD workflows that allows AI agents to execute malicious instructions, potentially leaking sensitive information. The flaw affects multiple companies and demonstrates how AI prompt injection can compromise software supply chains.

The guide provides insights into the OWASP Top 10 CI/CD security risks, emphasizing how automation and Infrastructure as Code (IaC) practices have expanded attack surfaces. It outlines the dangers of Dependency-Poisoned Pipeline Execution (D-PPE) attacks and stresses the importance of securing CI/CD pipelines against both direct and indirect threats.

GitLab has released critical security updates for its DevSecOps platform to address multiple vulnerabilities, including account takeover and injection of malicious jobs in CI/CD pipelines. Users are urged to upgrade to the latest versions immediately to protect against these security flaws, which have been exploited in recent attacks on major companies.

Sysdig's Threat Research Team uncovered significant security vulnerabilities in GitHub Actions workflows across popular open source projects, including those by MITRE and Splunk. Their research revealed how insecure configurations, particularly using pull_request_target, can expose sensitive credentials and allow for exploitation, prompting the team to recommend best practices to enhance CI/CD security.