Mitigate software supply chain risks in Github Actions | ODSP938
Key Takeaways
Mitigate software supply chain risks in GitHub Actions using practical strategies
Original Description
GitHub Actions workflows are a prime target for supply chain attacks—from malicious pull requests exfiltrating secrets to compromised dependencies and hijacked tags. In this 15-minute session, we'll walk through practical, high-impact strategies to protect your CI/CD pipelines, including how to inspect repos for hidden risks, shrink your attack surface, and lock down what your workflows can actually do. Leave with a concrete checklist to harden your workflows today. Stay safe!
𝗦𝗽𝗲𝗮𝗸𝗲𝗿𝘀:
* Erika Heidi
𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻:
This is one of many sessions from the Microsoft Build 2026 event. View even more sessions on-demand and learn about Microsoft Build at https://build.microsoft.com
ODSP938 | English (US) | Developer tools & frameworks, Cloud platform & data
Pre-recorded
#MSBuild
Chapters:
0:00 - Introduction by Erika Heidi and Overview of Talk
00:02:47 - Risks from Secrets Exposure and Write-Capable Tokens
00:03:49 - Preventing Malicious Code Propagation through Protected Branches and Tags
00:04:45 - Reducing Entry Points and Managing Dependencies to Lower Risk
00:05:34 - Removing Unnecessary Runtime and OS-Level Components
00:11:02 - Introducing Digestabot for maintaining up-to-date containers and workflows
00:12:26 - Case study: Trivy incident from PAT exfiltration
00:14:02 - Reducing attack surface and pulling from trusted sources
00:14:41 - Final summary: pin by digest, use Octo-STS, avoid long-lived tokens
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
More on: CI/CD Pipelines
View skill →Related Reads
📰
📰
📰
📰
AWS Self-Healing Infrastructure: Catching and Fixing Server Crashes with AI Autopilot
Medium · DevOps
Understanding a Real AWS CodePipeline CI/CD Flow: Source Build Deploy"
Dev.to · Guna SantoshDeep Srivastava
How to Use Terraform with Python for Infrastructure
Dev.to · qing
Interactive containers and exec: get inside, run commands, get out
Dev.to · Javi Palacios
Chapters (9)
Introduction by Erika Heidi and Overview of Talk
2:47
Risks from Secrets Exposure and Write-Capable Tokens
3:49
Preventing Malicious Code Propagation through Protected Branches and Tags
4:45
Reducing Entry Points and Managing Dependencies to Lower Risk
5:34
Removing Unnecessary Runtime and OS-Level Components
11:02
Introducing Digestabot for maintaining up-to-date containers and workflows
12:26
Case study: Trivy incident from PAT exfiltration
14:02
Reducing attack surface and pulling from trusted sources
14:41
Final summary: pin by digest, use Octo-STS, avoid long-lived tokens
🎓
Tutor Explanation
DeepCamp AI