Sign up to save your podcasts
Or
Share Github Actions - Supply Chain Attacks
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Github Actions - Supply Chain Attacks
In this episode, we discuss the recent tj-actions/changed-files github action compromise. I propose some ways we can apply existing solutions to this problem, in a way that doesn’t add too much extra friction, but can greatly lessen the number of users impacted by a compromise like this.
I also mention some information from Step Security’s blog post on the topic, which I’d recommend reading: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
See also: This episode in blog form
Edit: I have published a revised version of this episode clarifying the current state of dependabot for managing action updates.
View all episodes
By Rich InfanteIn this episode, we discuss the recent tj-actions/changed-files github action compromise. I propose some ways we can apply existing solutions to this problem, in a way that doesn’t add too much extra friction, but can greatly lessen the number of users impacted by a compromise like this.
I also mention some information from Step Security’s blog post on the topic, which I’d recommend reading: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
See also: This episode in blog form
Edit: I have published a revised version of this episode clarifying the current state of dependabot for managing action updates.