GitHub Security Lab’s cover photo
GitHub Security Lab

GitHub Security Lab

Software Development

Securing open source software, together

Follow

About us

Website
https://securitylab.github.com
Industry
Software Development

Updates

  • View organization page for GitHub Security Lab
    GitHub Security Lab

    6,321 followers

    Workflow Execution Protections is another ✨ security ship from the GitHub Actions team: Control who and what triggers GitHub Actions workflows. For example you can use this new feature to restrict or prohibit pull_request_target across your organization. https://lnkd.in/gbBGgcwp

    View profile for Steve Glass
    Steve Glass

    Today we shipped Workflow Execution Protections for GitHub Actions, a core component of our 2026 security roadmap Gregory OseGregory Ose and I published in March. Built on GitHub's ruleset framework, Workflow Execution Protections give administrators the ability to control who can trigger workflows and which events are permitted to run them. These policies can be enforced consistently across enterprises, organizations, and repositories. This gives organizations a centralized way to govern workflow execution and reduce risk from commonly abused triggers such as pull_request_target. I'm incredibly proud of what the team accomplished here. A huge thank you to the Actions engineering team for their partnership in bringing this feature to life over the past several months. Changelog 👉 https://lnkd.in/gzx9g2zT

  • View organization page for GitHub Security Lab
    GitHub Security Lab

    6,321 followers

    A step towards making GitHub Actions more secure by default: actions/checkout v7 refuses the most common pwn request patterns by default! Read the changelog: Safer pull_request_target defaults for GitHub Actions checkout https://lnkd.in/gWzgskBz

    View profile for Gregory Ose
    Gregory Ose

    Today we shipped actions/checkout v7 that refuses the most common pwn request patterns by default. Pwn requests are one of the most widespread and damaging classes of GitHub Actions vulnerabilities. A workflow using pull_request_target runs with repository secrets and a privileged token. Check out the head of an unreviewed fork pull request inside one, and attacker-controlled code runs with all of it. This has been the root cause of many recent and historical supply-chain incidents. In March I started iterating on this idea with the Actions product and engineering teams. There are still valid reasons to check out a fork's head, as long as you never execute it, and removing the capability would just push developers toward less auditable patterns like a manual git checkout in a run script. So we followed the pattern of APIs like React's dangerouslySetInnerHTML: keep a clear, deliberately named escape hatch, and funnel developers to documentation on the risks before they reach for it. The opt-out is named allow-unsafe-pr-checkout, so it is auditable by static analysis and signals to reviewers that the workflow is operating in a potentially unsafe way. Secure by default does not always mean removing a risky behavior. It means a developer has to understand the risk and opt in deliberately. We are also backporting the protection to all currently supported majors on July 16, so workflows on a floating tag like actions/checkout@v4 become secure by default with no work from the developer. Huge thanks to Steve Glass and the Actions team for partnering on this and shipping it. There is always more we can do, and more changes are coming to make Actions secure by default. I think the most impactful ones are still ahead. 🔒 Changelog and guidance on using pull_request_target safely are in the comments.

  • GitHub Security Lab reposted this

    View organization page for DevOpsDays Lima
    DevOpsDays Lima

    3,204 followers

    🚀 ¡Nuevo Keynote confirmado para #DevOpsDaysLima2026! Cuando el código abierto que usa medio mundo empieza a ser generado por IA, la pregunta ya no es si hay riesgos. La pregunta es quién los está resolviendo. 🎤 Nos enorgullece anunciar que Xavier René-Corail de GitHub, llega a Lima como Keynote Speaker de esta nueva edición. Referente mundial en seguridad y open source, lidera el trabajo del GitHub Security Lab asegurando el código del que depende gran parte de la infraestructura tecnológica global. Su charla: "𝗢𝗽𝗲𝗻 𝘀𝗼𝘂𝗿𝗰𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻 𝘁𝗵𝗲 𝗔𝗜 𝗲𝗿𝗮" Una sesión donde compartirá las lecciones aprendidas protegiendo código abierto a escala, cómo están enfrentando los ataques a la cadena de suministro y qué significa asegurar código cuando parte de ese código ya no lo escribe un humano. ¿Es la IA el fin del open source o la oportunidad de asegurarlo mejor que nunca? Ven y decide tú mismo. 👀 Una charla imprescindible para quienes quieren proteger su software en esta nueva era. 📅 27 y 28 de agosto de 2026 📍 Centro de Convenciones de Lima - LCC 🎟️ Asegura tu entrada 👉 https://lnkd.in/eetV4ME7 Dos días de charlas, networking y aprendizaje junto a speakers nacionales e internacionales, comunidades tech y líderes que están marcando el rumbo del DevOps en la región. 🌎 🙌 No te quedes fuera. La comunidad te espera. #DevOpsDaysLima2026 #DevOps #DevOpsLATAM #OpenSource #DevSecOps #SupplyChainSecurity #ComunidadDevOps #GitHub

    • No alternative text description for this image

  • GitHub Security Lab reposted this

    View organization page for DevTalksRomania
    DevTalksRomania

    12,785 followers

    We loved every part of it!  At DevTalks Romania 2026, Joseph Katsioloudes brought a hands-on perspective on secure software development in the AI era through “Code Security Reinvented: Navigating the era of AI”. From AI-assisted secure coding and agentic workflows to supply chain security and faster remediation processes, the session explored how AI can help scale security expertise across modern engineering teams. Kudos to you, Joseph!

    • No alternative text description for this image
    • No alternative text description for this image
  • View organization page for GitHub Security Lab
    GitHub Security Lab

    6,321 followers

    Attending BSides Vilnius? Don't miss 📌 Jaroslav Lobačevski 's session "LLM-assisted vulnerability hunting: hype vs. reality" to hear about the practical experience of using LLM agents for finding, triaging and reporting vulnerabilities in open-source software such as Signal or 7-Zip! 📅 June 4, 16:45 EEST 📍 Vilnius, Lithuania 👉 https://bsidesvilnius.lt/

  • View organization page for GitHub Security Lab
    GitHub Security Lab

    6,321 followers

    Your mother tongue is the new programing language for creating exploits. For maintainer month, we took inspiration from #OpenClaw and built ProdBot! An intentionally vulnerable agent wired up with MCPs, skills, agentic workflows, and multi-agent capabilities. You will learn from it, while having fun! It runs in Codespaces, straight from your browser, in under two minutes. Play now at: gh.io/secure-code-game Learn more: https://lnkd.in/gacyENSm

Affiliated pages

Similar pages