The Future Of GitHub Actions Security And What You Can Do Right Now
GitHub is hardening Actions with deterministic dependencies, scoped secrets, and policy controls. Teams still need immediate detection and remediation for today’s risk.
Honeytokens on the Developer Workstation: When Cleanup Takes Time
Plaintext secrets on developer machines create real supply chain risk. Honeytokens provide early detection while stronger identity-based controls are rolled out.
The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows
On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint.
Dependency Confusion Attacks and Prevention: Register Your Private Package Names
Dependency confusion attacks exploit gaps in your software supply chain. Dive into modern dependency management and learn how to defend your systems with best practices.
Vulnerability of the Month - Controversy of the JetBrains TeamCity CVE-2024-27198 & CVE-2024-27199
This month we dive into CVE-2024-27198 for JetBrains TeamCity and the controversy surrounding the patching process that contributed to it being exploited in the wild.
Why you need an SBOM (Software Bill Of Materials)
SBOMs are security analysis artifacts becoming required by more companies due to internal policies and government regulation. If you sell or buy software, you should know the what, why, and how of the SBOM.
The Open-Source Backdoor That Almost Compromised SSH
The open-source world narrowly escaped a sophisticated supply-chain attack that could have compromised countless systems. A stark reminder of the necessity of vigilant monitoring and rigorous vetting within the open-source ecosystem to maintain trust and security.
Three Mechanisms to Protect Your Git Repositories
...despite all intentions to follow best practices, they don't. When you automate enforcement of best practices, you can ensure those practices are followed...
Securing The Software Delivery Pipeline With Honeytokens
Discover how honeytokens enhance security by detecting breaches in real-time across the software development lifecycle. Learn how to deploy these decoy credentials and traps effectively, bolstering defenses against cyber threats.
Top Secrets Management Tools for 2024
Let's walk through nine of the top secrets management solutions for 2024.
Uncovering thousands of unique secrets in PyPI packages
Security Researcher Tom Forbes worked with the GitGuardian team to analyze all the code committed to PyPi packages and surfaced thousands of hardcoded credentials.
Webinar Recap: Hands-on guide to Runtime Security for CI/CD Pipelines with StepSecurity
A condensed recap of our hands-on runtime security webinar from September. Get the juiciest knowledge nuggets and pointers to more.
