This article details LinkedIn's efforts to upgrade its Static Application Security Testing (SAST) capabilities. It covers the challenges faced with legacy systems, the design principles guiding the modernization, and the implementation of a new GitHub Actions-based workflow to enhance security without disrupting developer productivity.

pinact is a command-line tool that helps you edit and pin versions of GitHub Actions and reusable workflows. It allows you to update versions, verify annotations, and create pull request reviews for better security and reliability in CI/CD pipelines.

The GitHub Actions `attest-build-provenance` action allows users to generate signed attestations for workflow artifacts, binding them to a SLSA build provenance predicate. It utilizes the Sigstore service for signing, supports both public and private repositories, and facilitates verification through the GitHub CLI, ensuring artifact integrity and provenance.

The article discusses the security considerations necessary for using GitHub Actions in CI/CD setups, emphasizing the importance of protecting workflows against potential threats from contributors with write access. It details various attack scenarios, including script injection vulnerabilities, and provides best practices for securing sensitive workflows and managing permissions effectively.