Palo Alto Networks

AppSec

Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows

In today’s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside — a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows.

As we discussed in the previous blog post, Third-Party GitHub Actions: Effects of an Opt-Out Permission Model, the permissive nature of GitHub Actions...

Aug 30, 2023

Subscribe to Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.