GitHub Actions Workflow Hacked to Push Malicious Code to PyPI

Your CI pipeline is not less risky than production. It runs with secrets, has internet access, and most engineers treat it as config, not code. Wiz published a full GitHub Actions threat model this week. A few things that stood out: → Untrusted inputs in `run:` steps can trigger script injection without a single PR approval → `GITHUB_TOKEN` is routinely over-permissioned and scoped to the whole repo → Third-party actions are supply chain risk by default. Pinning to a SHA is not optional. → Secrets in env vars leak into logs more often than most teams realize Full breakdown in the comments ↓ #devops #security #githubactions

GitHub Launches Fork Commit Detector to Flag Malicious Code in Supply Chains 📌 GitHub’s new Fork Commit Detector scans code supply chains to spot sneaky “imposter commits” - malicious forks masquerading as trusted upstream code. Built for DevOps teams, it flags risky Git SHA references before they trigger CI/CD pipelines or break critical tools. A vital step in securing automated workflows against hidden supply chain threats. 🔗 Read more: https://lnkd.in/d8PKUEsy #Github #Forkcommit #Supplychain #Git #Imposter

3 things I believed about SAST before I actually used it 1. "It's just a linter with a security label" 2. "It'll flood you with useless alerts" 3. "You set it up once and forget it" All three were wrong. Here's what I found instead After integrating Bandit (Python) and Sonar Cloud into my CI/CD pipeline, my understanding completely shifted. Reality 1: It catches vulnerabilities at the code level — injection patterns, hardcoded secrets, insecure functions — things a linter never touches. Reality 2: Yes, there are false positives. But learning to triage them is a skill in itself. You start recognising why something is flagged, which makes you a better developer. Reality 3: Quality gates need tuning. I configured Sonar Cloud to block any push with a Critical severity finding. That decision takes thought — and it changes how you write code going forward. The moment my own pipeline rejected my own commit? That was the moment SAST stopped being a concept and became a habit. Want to set this up yourself? Here are the tools I used - dive in and try it on your own project: Bandit (Python SAST): https://lnkd.in/e6yKv9Ds Sonar Cloud (Code Quality & Security Gate): https://sonarcloud.io My Project Repo :   https://lnkd.in/eCJ_8xHA https://lnkd.in/ed3Ydqej Which SAST myth did you believe before you tried it? Or do you disagree with any of my "realities"? Let's debate. Also, Let me know the other prefered tools. Day 8 of 90. #DevSecOps #SAST #SonarCloud #Bandit #AppSec #CloudSecurity #CyberSecurity #LearningInPublic

⚜ End-to-End 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐂𝐈/𝐂𝐃 Pipeline in Action Here’s a streamlined pipeline architecture that integrates security, quality, and deployment into a cohesive workflow: 🔵 𝐂𝐈 𝐏𝐢𝐩𝐞𝐥𝐢𝐧𝐞 (𝐉𝐞𝐧𝐤𝐢𝐧𝐬) ● Code pushed to GitHub triggers Jenkins CI ● Dependency checks via OWASP ● Code quality & security analysis using SonarQube ● Container image build with Docker ● Vulnerability scanning using Trivy before push ⚫️ 𝐂𝐃 𝐏𝐢𝐩𝐞𝐥𝐢𝐧𝐞 (𝐉𝐞𝐧𝐤𝐢𝐧𝐬) ● Automated update of Docker image version ● Deployment orchestrated via ArgoCD (GitOps approach) ● Application deployed on Kubernetes (K8s) 🔴 𝐎𝐛𝐬𝐞𝐫𝐯𝐚𝐛𝐢𝐥𝐢𝐭𝐲 & 𝐅𝐞𝐞𝐝𝐛𝐚𝐜𝐤 ● Monitoring powered by Prometheus & Grafana ● Alerts and notifications sent via email 💡 This setup ensures: ✔️ Shift-left security (early vulnerability detection) ✔️ Continuous quality gates ✔️ Automated, reliable deployments ✔️ Real-time monitoring and feedback loop #Docker #Kubernetes #Ansible #Jenkins #Maven #ReplicaSet #ReplicaSetController #CICDPIPELINE #GitHub

Is manual reverse engineering dead? 🤖💻 Wiz researchers just uncovered a Critical RCE in GitHub’s internal infrastructure (CVE-2026-3854) that could have exposed millions of private repositories. But the real story isn't just the bug—it’s how they found it. They used AI-augmented reverse engineering to deconstruct closed-source binaries at a speed that was previously impossible. What used to take months took days. The Technical TL;DR: 🔹 The Flaw: A simple semicolon injection in git push options. 🔹 The Chain: Overriding internal headers to bypass the sandbox and execute code as the git user. 🔹 The Stake: Full server compromise on GitHub Enterprise Server (GHES). The Reality Check: Right now, 88% of GHES instances remain unpatched. If you are running on-prem GitHub, your "heartbeat" command (git push) could be your biggest liability. I’ve broken down the full exploit chain and the AI methodology used to find it. Read the full analysis here: https://lnkd.in/gvyfH_gA #CyberSecurity #AI #GitHub #InfoSec #DevSecOps #BugBounty #TechLeadership

BlackDuck_SCA_CICD is your open-source GitHub repository showcasing a streamlined CI/CD integration for Black Duck SCA (Software Composition Analysis), empowering DevSecOps teams to automate vulnerability scanning in modern pipelines. Core Purpose This repo provides scripts, configs, and workflows (likely GitHub Actions or Jenkins-compatible) to embed Black Duck's Detect tool into CI/CD processes. It scans source code, binaries, containers, and dependencies for open-source risks, generating SBOMs for compliance and rapid remediation—ideal for AWS EKS, Azure, or Kubernetes environments. Key Features - Seamless Black Duck Detect integration for Maven, Gradle, or binary scans in pipelines. - Customizable for enterprise tools like Coverity upgrades or Falco runtime security. - Supports policy enforcement, reducing false positives and supply chain vulnerabilities. Professional Value - Developed amid your cybersecurity master's and roles at IBM/Harvard, it demonstrates hands-on expertise in secure pipelines—proven to accelerate scans and boost AppSec at scale. Fork, contribute, or adapt for your next project! Check it out: https://lnkd.in/eJ4dpGQg. Open to collaborations or DevSecOps chats! #DevSecOps #SCA #BlackDuckmend

A question I keep turning over: How many developers actually understand Git — versus just knowing enough commands to survive? I've been writing a comprehensive GitHub Handbook (beginner-friendly, two volumes, covers everything from "what is a repository" to the AI agents now opening pull requests autonomously) and the experience has been clarifying. Most of us learned GitHub by osmosis. A teammate showed us `git push`. We got yelled at for force-pushing once. We figured out pull requests. We never quite learned why any of it works the way it does. That's fine — until something breaks. And in 2026 the stakes are higher than ever, because the tools around Git have exploded. Copilot agents write code. Autofix patches vulnerabilities. MCP servers connect agents to your whole stack. The people who thrive in this environment are the ones with solid fundamentals + willingness to learn the new surface area. So my handbook starts from zero and ends at the current frontier. Volume I is the foundation. Volume II covers advanced topics and the comprehensive AI future. If that sounds useful — comment below and I'll send it your way. Curious to hear: what's the one GitHub concept you wish someone had explained to you earlier? #GitHub #Git #SoftwareDevelopment #AI #GitHubCopilot #LearningInPublic

Quick question: what credentials is your CI/CD pipeline using to access secrets? If the answer is "someone's personal API token" — you have a problem that's easy to miss until that person leaves. KeyEnv separates machine access from human access with service tokens. → Create a token scoped to exactly the project and environment your pipeline needs → Use it in GitHub Actions, GitLab CI, CircleCI, Railway, Render, Vercel → Revoke it instantly without touching anyone's personal account → See every access event in the audit log, attributed to the token — not a person The failure mode this prevents: engineer leaves, personal token gets deactivated, CI breaks in production at 2am, nobody knows why. Service tokens make automation a first-class citizen in your secrets workflow. Not an afterthought bolted on with a personal key and a prayer. #cicd #devops #security #githubactions #platformengineering

🚀 Discovering the Power of Bots in Code Analysis In the world of software development, automating the analysis of GitHub repositories can transform workflows. Recently, I explored an innovative approach to creating a Telegram bot that integrates real-time source code analysis, efficiently detecting vulnerabilities and key metrics. 🔍 Integration and Initial Configuration The process begins with the selection of accessible tools: Python as the base language, combined with libraries like python-telegram-bot to handle interactions and PyGitHub to access repositories. A bot token is configured in Telegram and GitHub credentials, ensuring a secure connection without exposing sensitive data. - 📊 Data Extraction: The bot receives a repository link and temporarily clones the code to analyze commits, issues, and pull requests. - 🛡️ Vulnerability Detection: It uses scanners like Bandit for Python or integrates external APIs to identify common risks in the code. - 📈 Quality Metrics: It calculates test coverage, cyclomatic complexity, and contributor activity, generating visual reports. ⚙️ Challenges and Optimizations During implementation, the need arose to handle API limits and process large repositories. Solutions included pagination in queries and caching with Redis for quick responses. Additionally, error handling was incorporated for stable bots in production environments. This approach not only accelerates code reviews but also fosters remote collaborations in distributed teams, ideal for DevOps and computer security. For more information, visit: https://enigmasecurity.cl #Cybersecurity #SoftwareDevelopment #GitHub #TelegramBot #Python #DevOps #CodeAnalysis If you're passionate about cybersecurity, consider donating to Enigma Security for more content: https://lnkd.in/er_qUAQh Connect with me on LinkedIn to discuss security trends: https://lnkd.in/eXXHi_Rr 📅 Wed, 08 Apr 2026 15:59:01 GMT 🔗Subscribe to the Membership: https://lnkd.in/eh_rNRyt

Stop Shipping "Heavy" Docker Images: The Power of Multi-Stage Builds & Distroless Are your Docker images bloated with unnecessary tools? If you are still shipping compilers, build logs, and shell utilities to production, you're leaving performance and security on the table. In modern DevOps, smaller is better. The Problem: Traditional Builds A standard Dockerfile often includes everything: the OS, build tools (Go, Maven, GCC), source code, and the final app. Result: A 1GB image for a 5MB application. Risk: High attack surface (shells like bash and package managers like apt can be exploited by hackers). The Solution: Multi-Stage Builds + Distroless By splitting your Dockerfile into two stages, you can drastically optimize your workflow: Stage 1 (Builder): Use a heavy image to compile your code. Stage 2 (Runtime): Use a Distroless image to run it. What is Distroless? It’s a minimalistic image that contains only your application and its runtime dependencies. No shell, no package manager, no extra bloat. Why this matters: Massive Size Reduction: Go from 800MB+ images down to <20MB. Hardened Security: By removing the shell (/bin/sh), you eliminate the most common way hackers execute malicious commands in a container. Faster Scaling: Smaller images pull from registries faster, making your CI/CD pipelines and Kubernetes deployments lightning quick. Pro-Tip: If you are building statically linked binaries (like in Go or Rust), try using FROM scratch. It's the ultimate zero-byte base image! Stop shipping your "builder" tools to production. Your infrastructure—and your security team—will thank you. #Docker #DevOps #ContainerSecurity #CloudNative #Kubernetes #SoftwareEngineering #Distroless #Microservices