GitHub Actions Security: From CI Nightmare to Supply Chain Sentinel - Niek Palm - NDC Manchester

Description

This talk was recorded at NDC Manchester in Manchester, England. #ndcmanchester #ndcconferences #developer #softwaredeveloper Attend the next NDC conference near you: https://ndcconferences.com https://ndcmanchester.com/ Subscribe to our YouTube channel and learn every day: / @NDC Follow our Social Media! https://www.facebook.com/ndcconferences https://twitter.com/NDC_Conferences https://www.instagram.com/ndc_conferences/ #github #supplychain #devops #sdlc #security GitHub Actions, crucial for CI/CD, can become an attack vector if unsecured. Misconfigurations risk supply chain attacks: malicious code injection, credential theft, or release tampering. Real-world incidents prove this urgent security need in automated pipelines. This talk exposes GitHub Actions security risks: token leaks, script injections, and threats from untrusted third-party Actions or compromised runners. We'll then detail actionable strategies to secure your GitHub Actions. Key topics: Principle of Least Privilege (GITHUB_TOKEN, OIDC), vetting third-party Actions, securing runners, and hardening workflows (input sanitization, code signing). Attendees gain practical knowledge to turn GitHub Actions from a vulnerability into a strong supply chain defense, ensuring secure automation.