Seralys’ Post

🔧 GitHub uses eBPF to fix a problem most teams don't even know they have until an outage hits. Here's the scenario: GitHub goes down. To fix it, you need to deploy a fix. But your deploy script pulls a binary... from GitHub. 💀 Classic circular dependency. The obvious fix? Block access to github.com from the deploy machine. But these are stateful hosts serving live traffic — you can't just cut them off. So GitHub's engineers got creative with eBPF: → They create a cGroup containing only the deployment script process → An eBPF program hooks into network egress for just that cGroup → DNS queries from the deploy script are intercepted and routed to a custom userspace proxy → The proxy evaluates domains against a blocklist and communicates results back via eBPF Maps → Bonus: the tool captures the exact process ID + command line that triggered each blocked request The result? A log line like this: 📋 WARN DNS BLOCKED domain=github.com cmd="curl github.com" This means teams immediately know what's causing the circular dependency — no guesswork, no hunting. What I love about this approach: ✅ Surgical precision — only the deploy process is sandboxed, not the whole host ✅ No iptables rules, no infra changes — just kernel-level hooks ✅ Full observability: every domain touched during a deploy is audited ✅ Bonus: cGroups also enforce CPU/memory limits on deploy scripts eBPF continues to be one of the most underrated tools in the platform engineering toolkit. #eBPF

A critical remote code execution vulnerability (CVE-2026-3854, CVSS 8.7) was recently disclosed in GitHub’s internal git infrastructure that could be exploited by any authenticated user with repository push access. The TTPs involved an injection flaw in the X-Stat header: attackers crafted git push options containing semicolons (;) to inject and override internal fields (such as rails_env, custom_hooks_dir, repo_pre_receive_hooks, and user_operator_mode on GitHub.com). This bypassed sandboxing and allowed execution of arbitrary code via pre-receive hooks using only a standard git client. Potential impact: - On GitHub Enterprise Server (GHES): Full server compromise, including access to all hosted repositories and internal secrets. - On GitHub.com: Remote code execution on shared storage nodes, with potential cross-tenant exposure to millions of public and private repositories. GitHub mitigated the issue on its cloud platform within hours and has released patches for all supported GHES versions (vulnerable ≤ 3.19.1; fixed in 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3+). Self-hosted administrators should upgrade immediately. Full technical breakdown from Wiz Research: https://lnkd.in/eRThbsZJ #GitHub #RCE #Vulnerability #InfoSec #DevSecOps #AppSec #CVE20263854

One authenticated git push achieved remote code execution on GitHub's backend. That's CVE-2026-3854. Any GitHub user with push access to a repo could inject arbitrary commands by crafting push option values. The internal X-Stat header used a delimiter that appeared in user input. One crafted push and the git service ran hooks with no sandbox, full filesystem access, as the git service user. GitHub.com was patched silently on March 4. Enterprise Server got a fix on March 10. Public disclosure came April 28. Seven weeks of silence while Help Net Security confirmed 88% of self-hosted GitHub Enterprise Server instances were still running the vulnerable build. If you're on GHES, you need version 3.19.3 or later. The CVSS score is 8.7. The attack doesn't need a zero-click exploit or advanced tooling. Write access to any repository is enough. The seven-week disclosure gap bothers me more than the bug. Responsible disclosure gives defenders time to patch. Running 88% of enterprise instances exposed while the vendor says nothing isn't coordinated disclosure. It's a liability transfer. When did your security team last verify which GitHub Enterprise Server version your organization is running? #AppSec #GitHub #CVE20263854 #SupplyChainSecurity #DevSecOps

Tired of manually setting GitHub secrets/variables one by one? I built a small bash script that bulk-creates GitHub environment secrets or variables from a .env file — with a masked preview before touching anything. What it does: Reads any .env format (KEY=value, KEY: value, quoted values) Auto-detects your repo if you're inside a git directory Validates the GitHub environment exists before doing anything Shows a masked preview (xxxx****xxxx) and asks for confirmation --dry-run mode to validate without creating anything Colored output + proper exit codes for CI pipelines # Secrets ./create-gh-secrets.sh .env.staging my-org/my-repo Staging --secret # Variables (auto-detect repo) ./create-gh-secrets.sh .env.production Production --variable # Just preview, don't create anything ./create-gh-secrets.sh .env.staging Staging --secret --dry-run Saved me a lot of time managing multiple environments across projects. Leaving it here in case it helps someone else. 🔗 https://lnkd.in/d4_RGYb8 #DevOps #GitHub #Bash #DeveloperTools #Automation

For the past few weeks, I've been running an experiment to automate user support for Warp's mailing list and GitHub issues with surprisingly good results. Here is an example from this morning that impressed me – it would have taken me much longer to spot the incorrect decimal separator: https://lnkd.in/gscu_Ebc I had Claude write a harness script for itself and add appropriate instructions to CLAUDE.md. Each time the script runs, it pulls the latest changes to Warp, RELION, and a few other GitHub repos. If there is anything new, it uses qwen3-embedding:8b through Ollama to re-index the updated code for RAG search. Then it pulls new emails and issues via AgentMail and GitHub MCPs. For each of them, Claude Code is launched in headless mode via `claude -p`. It has access to RAG search over all code, old support emails and issues (previously embedded via Ollama), and of course Claude Code's own tooling. Finally, it drafts replies where appropriate, and decides whether to open new GitHub issues for bugs or feature requests. I review the drafts, make changes if needed, and then Claude sends them. Afterwards, Ollama runs the embedding model on all new messages to include them in future RAG results. The manual review is certainly the least elegant part here. But then again, the problem space is huge, the people requesting support are very smart in the first place, and Claude can't read my mind. So far I've only had to remove redundant parts, but never add new insights. It's especially funny if the original support request was clearly written by an LLM as well – then it's just 2 bots talking to each other 🤖🤖

Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854) https://lnkd.in/dFief6JS #DevSecOps #SecDevOps #ApplicationSecurity #AppSec #CloudSecurity #CloudSec #SoftwareSecurity

Turn a GitHub repo into a public, queryable database. Built a GitHub Action that indexes markdown / JSON / YAML files and serves them via GitHub’s raw content API. No infra. Just structured data, directly from your repo. Useful for lightweight APIs, documentation as data, and feeding structured context into LLMs. https://lnkd.in/g-ew_tDE

A critical GitHub vulnerability, tracked as CVE‑2026‑3854, allowed authenticated users to achieve remote code execution (RCE) across GitHub.com and GitHub Enterprise Server using nothing more than a single malicious git push command. Why This Vulnerability Is So Severe 1. RCE Across Shared Infrastructure On GitHub.com, exploitation enabled RCE on shared storage nodes, which host data for millions of repositories. Researchers confirmed that the compromised system account had theoretical access to: private repositories proprietary codebases organizational metadata internal configuration data sensitive secrets and credentials 2. Full Server Compromise on GHES On GitHub Enterprise Server, the same flaw allowed complete server takeover, including access to all hosted repositories and internal secrets. 3. Extremely Easy to Exploit The exploit required: no special tools no elevated privileges only a standard Git client a single crafted git push command Researchers described it as “remarkably easy” to exploit. 4. Massive Exposure Window Even after GitHub patched the issue, 88% of GHES instances remained unpatched at the time of disclosure — leaving thousands of organizations exposed. This is one of the most severe architectural vulnerabilities ever discovered in GitHub, demonstrating how a single injection flaw in a shared platform can cascade into cross‑tenant exposure affecting millions of repositories globally. It also highlights a new era of AI‑assisted vulnerability discovery — this flaw was one of the first major RCEs in closed‑source binaries identified using AI‑augmented analysis.

🚨GitHub's CVE-2026-3854 is real but overhyped for most users, GitHub.com was patched fast, no wild exploitation found. Enterprise Server is a different story. 88% still unpatched at disclosure. The window was open. Alphonse Industries is watching. 🔗https://lnkd.in/eU5fr-Tu

🚀 Part 2 of my DevOps CI/CD Pipeline blog is live! After pushing the image to ECR, here's what the CD side looks like: ✅ Jenkins triggers GitHub Actions automatically ✅ GitHub Actions updates the image tag in the deployment manifest ✅ Deploys directly to Kubernetes ✅ ArgoCD syncs and maintains the desired state Also covered real issues you'll actually face: ⚠️ GitHub token permission errors ⚠️ ImagePullBackOff from private ECR ⚠️ Self-hosted runner push issues and how to fix all of them 🔗 Blog: https://lnkd.in/gp74F4vp 🔗 CD Repo: https://lnkd.in/gwCuDcmD If you're building something similar or stuck on any part of this feel free to reach out, happy to help! 🙌 And if you find this useful, a follow would mean a lot 😊 #DevOps #Jenkins #CICD #Docker #AWS #ECR #Kubernetes #GitHubActions #ArgoCD #CloudComputing #Linux #DevOpsEngineer #Medium