This GitHub repository offers a comprehensive checklist for securing your digital life. It includes a website for easy navigation, a raw data file for modifications, and an API for accessing checklist data. Users can clone the repo, run it locally, or deploy it on various platforms.

This article discusses the security vulnerabilities associated with GitHub Actions, highlighting issues like secrets management failures, insufficient permission management, and dependency pinning failures. It emphasizes the importance of understanding these risks to protect CI/CD workflows from potential attacks.

A typosquatted npm package named “@acitons/artifact” impersonated the legitimate “@actions/artifact” to exploit GitHub's CI/CD workflows. It stole tokens from build environments and published malicious artifacts, highlighting vulnerabilities in supply chain security.

This article analyzes a malicious Visual Studio Code extension that implements ransomware-like behavior. It highlights how the extension encrypts files, uploads sensitive data, and communicates with a command and control server via a private GitHub repository. The piece questions how such obvious malware passed the marketplace review.

This cheat sheet outlines effective ways to discover, validate, and protect API keys and credentials throughout your software development lifecycle. It includes practical examples, tips on ownership, and guidance on securing vaults without hindering development. It's a useful resource for teams looking to manage secrets more effectively.

GitHub Agentic Workflows automate tasks in your repositories using AI. You can define workflows in markdown, and they integrate with GitHub features like Actions and Issues. The system prioritizes security with sandboxed execution and limited permissions.

A security researcher discovered that Home Depot unintentionally exposed access to its internal systems for a year due to a published access token. After attempts to notify the company went ignored, TechCrunch intervened, leading to the token's revocation. Home Depot lacks a formal process for reporting such security issues.

On November 24, 2025, over 1,000 NPM packages were compromised using a fake Bun runtime, leading to the infection of more than 27,000 GitHub repositories. The malicious code steals sensitive information and exfiltrates it via a GitHub Action runner. This incident appears to be linked to a previous attack identified as "Shai-Hulud."

GitHub Agentic Workflows automate repository tasks using AI, allowing users to create workflows in markdown instead of YAML. It integrates with GitHub features for improved efficiency, all while maintaining security through sandboxed execution and controlled permissions. The tool is still in early development, so caution is advised.

This article outlines recent npm security breaches and provides a checklist for securing npm publish workflows. It emphasizes the importance of using granular npm tokens, 2FA, and trusted publishers to minimize risks from compromised credentials.

The article explains how attackers can turn self-hosted GitHub Actions runners into backdoors, allowing persistent access to compromised systems. It details the Shai-Hulud worm as a case study, highlighting its methods for exploiting GitHub's infrastructure and the security risks involved.

ghbuster is a tool that identifies potentially malicious or inauthentic GitHub repositories and users through heuristics. It provides methods to detect suspicious activities such as unlinked email commits and coordinated stargazing, helping to maintain the integrity of the GitHub ecosystem. Users can easily install and run the tool with specific commands and can also generate documentation and run tests.

The article discusses a vulnerability discovered in the MCP (Multi-Chain Protocol) on GitHub, detailing its implications for security and potential exploits. It emphasizes the importance of addressing such vulnerabilities promptly to safeguard projects and users relying on the MCP framework.

GitHub enhances its security measures by implementing stricter protocols for its SAML (Security Assertion Markup Language) authentication. The article details the specific changes made to the SAML implementation, aimed at mitigating potential security vulnerabilities and ensuring safer access for users.

The article discusses GitHub's Dependency Graph, a feature that helps developers visualize and understand their software's supply chain by mapping out dependencies. This tool enhances security by allowing users to identify vulnerabilities in their dependencies and manage them effectively, promoting better supply chain security practices.

The article provides insights on effectively utilizing GitHub Advanced Security to prioritize vulnerabilities and speed up remediation processes. It emphasizes strategies for improving code security and enhancing collaboration within development teams. The focus is on actionable steps for organizations to maximize their security posture using GitHub's advanced features.

A malicious post-install command executed during the installation of the nx build kit created unauthorized GitHub repositories in users' accounts, stealing sensitive information like wallets and API keys. Organizations are urged to review their GitHub activity and rotate credentials to mitigate exposure, while ongoing investigations continue into the incident.

The article discusses a project where the author scanned all of GitHub's commits for leaked secrets, highlighting the importance of managing sensitive information in code repositories. The findings emphasize the potential risks developers face if they inadvertently expose secrets in their code. Additionally, the article offers insights into the tools and methods used for the scanning process.

The article discusses how GitHub leveraged Copilot to enhance their secret protection engineering efforts, resulting in significant efficiency improvements. By integrating AI-driven tools, the team was able to accelerate their workflows and improve code security practices. This initiative illustrates the potential of AI in streamlining complex engineering tasks.

Sharon Brizinov shares her experience of earning $64,350 through bug bounty hunting by automating the recovery of deleted files from public GitHub repositories. By scanning thousands of repositories for exposed API keys and credentials hidden in Git's history, she highlighted the importance of addressing security vulnerabilities from seemingly deleted information.

The article provides a comprehensive guide on securing GitHub Actions, emphasizing best practices for protecting workflows and sensitive data. It discusses common security risks and offers actionable recommendations to mitigate those risks, ensuring safer automation in software development processes.

GitHub is enhancing its security features by introducing the next evolution of GitHub Advanced Security, which aims to improve developers' ability to identify and fix vulnerabilities in their code. The new tools and integrations will provide more comprehensive security insights and streamline the workflow for developers working on secure applications.

The article discusses a malware issue affecting GitHub users on macOS, highlighting how this malware can compromise systems and steal sensitive information. It emphasizes the importance of maintaining security practices and being aware of potential threats when using software development tools.

A recent analysis of 100 popular security projects on GitHub revealed that only a small fraction have pinned their GitHub Actions to specific commits, leaving many workflows vulnerable to silent changes. The study highlighted the importance of pinning actions to ensure code stability and security, while also addressing the risks posed by transitive dependencies that may not be pinned. Recommendations for securing workflows include using tools to automate the pinning process and keeping actions updated.

sbommv is a versatile tool for transferring Software Bill of Materials (SBOMs) between systems, utilizing a modular architecture that supports various input and output systems, including GitHub and AWS S3. The tool enhances SBOM management with features like metadata enrichment, continuous monitoring, and integration with platforms like Dependency-Track and the Interlynk Platform. Users can easily install and use sbommv to streamline their SBOM workflows and contribute to its ongoing development.

GitHub Advanced Security for Azure DevOps now allows automatic injection of dependency scanning tasks into pipeline runs for default branches, facilitating the detection of open-source dependency vulnerabilities. Users can easily enable this feature and receive results that help in addressing any identified issues, as well as set up pull request annotations for new findings.

The article discusses a critical vulnerability in the GitHub Model Context Protocol (MCP) integration that allows attackers to exploit AI assistants through prompt injection attacks. By creating malicious GitHub issues, attackers can hijack AI agents to access private repositories and exfiltrate sensitive data, highlighting the inadequacy of traditional security measures and the need for advanced protections like Docker's MCP Toolkit.