Mitigate software supply chain risks in Github Actions | ODSP938

Microsoft Developer · Beginner ·☁️ DevOps & Cloud ·1mo ago

Key Takeaways

Mitigate software supply chain risks in GitHub Actions using practical strategies

Original Description

GitHub Actions workflows are a prime target for supply chain attacks—from malicious pull requests exfiltrating secrets to compromised dependencies and hijacked tags. In this 15-minute session, we'll walk through practical, high-impact strategies to protect your CI/CD pipelines, including how to inspect repos for hidden risks, shrink your attack surface, and lock down what your workflows can actually do. Leave with a concrete checklist to harden your workflows today. Stay safe! 𝗦𝗽𝗲𝗮𝗸𝗲𝗿𝘀: * Erika Heidi 𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻: This is one of many sessions from the Microsoft Build 2026 event. View even more sessions on-demand and learn about Microsoft Build at https://build.microsoft.com ODSP938 | English (US) | Developer tools & frameworks, Cloud platform & data Pre-recorded #MSBuild Chapters: 0:00 - Introduction by Erika Heidi and Overview of Talk 00:02:47 - Risks from Secrets Exposure and Write-Capable Tokens 00:03:49 - Preventing Malicious Code Propagation through Protected Branches and Tags 00:04:45 - Reducing Entry Points and Managing Dependencies to Lower Risk 00:05:34 - Removing Unnecessary Runtime and OS-Level Components 00:11:02 - Introducing Digestabot for maintaining up-to-date containers and workflows 00:12:26 - Case study: Trivy incident from PAT exfiltration 00:14:02 - Reducing attack surface and pulling from trusted sources 00:14:41 - Final summary: pin by digest, use Octo-STS, avoid long-lived tokens
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related Reads

📰
AWS Self-Healing Infrastructure: Catching and Fixing Server Crashes with AI Autopilot
Learn how to use AWS Self-Healing Infrastructure with AI Autopilot to catch and fix server crashes automatically
Medium · DevOps
📰
Understanding a Real AWS CodePipeline CI/CD Flow: Source Build Deploy"
Learn how to set up a CI/CD pipeline using AWS CodePipeline, covering source, build, and deploy stages
Dev.to · Guna SantoshDeep Srivastava
📰
How to Use Terraform with Python for Infrastructure
Learn to manage infrastructure with Terraform and Python for efficient and automated deployment
Dev.to · qing
📰
Interactive containers and exec: get inside, run commands, get out
Learn to interact with Docker containers using exec, cp, and shells to run commands and manage files
Dev.to · Javi Palacios

Chapters (9)

Introduction by Erika Heidi and Overview of Talk
2:47 Risks from Secrets Exposure and Write-Capable Tokens
3:49 Preventing Malicious Code Propagation through Protected Branches and Tags
4:45 Reducing Entry Points and Managing Dependencies to Lower Risk
5:34 Removing Unnecessary Runtime and OS-Level Components
11:02 Introducing Digestabot for maintaining up-to-date containers and workflows
12:26 Case study: Trivy incident from PAT exfiltration
14:02 Reducing attack surface and pulling from trusted sources
14:41 Final summary: pin by digest, use Octo-STS, avoid long-lived tokens
Up next
AWS, Azure, GCP: The One Thing Every Business Gets Wrong
AI Daily
Watch →