Ep06: "GitHub Security horror stories " (with Steve Giguere)

An episode of the Tech Beats Unplugged podcast, hosted by Cloud Dude, titled "Ep06: "GitHub Security horror stories " (with Steve Giguere)" was published on June 10, 2025 and runs 65 minutes.

June 10, 2025 ·65m · Tech Beats Unplugged

0:00 / 0:00

Summary

👨🏽‍🚀 Welcome to Episode 06 of "Tech Beats unplugged" This time, we’re diving headfirst into 𝐭𝐡𝐞 𝐜𝐫𝐚𝐳𝐢𝐞𝐬𝐭 𝐆𝐢𝐭𝐇𝐮𝐛 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐬𝐭𝐨𝐫𝐢𝐞𝐬, and who better to join us than Steve Giguere, an industry veteran and security expert who’s seen it all.From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.🌟 We’re so excited to share our latest tech Beats show with you🧡! Please share away 🤗We hope you'll enjoy it!!!Topics discussed: (00:00) Introduction(03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)(09:15) “A workflow is an application within your application” - What does that mean?!(12:16) Public vs. Private Repos - Are private orgs still at risk?(18:27) Self-hosted runners: Safe or security nightmare?(21:16) GitHub Environment Variables - How critical are they?(22:55) Secrets, masks, and how secure they really are (28:05) Artifact vs. Caching: Which is safer?(31:27) Craziest GitHub security screw-ups Steve has ever seen 🔥(36:42) Common attack vectors in GitHub Actions(44:19) Best security practices for GitHub Actions - Low-hanging fruit fixes 🍏(50:22) Are public actions safe? Can they be scanned?(53:52) xz backdoor fiasco - Lessons from the latest supply chain attack(59:00) NVD’s slowdown - What’s at stake?Show NotesCI/CD Goat (Deliberately vulnerable CI/CD environment): GitHubGitHub cache poisoning: Cacheract Attack | ScribeSecurityYour GitHub Secrets in Plain Text: CloudThrillGhat tool (Updating dependencies in GitHub Actions): GitHubOpenSSF Scorecard: WebsiteThe GitHub Worm (Asi Greenholts): Palo Alto BlogOWASP Top 10 CI/CD Risks: OWASPHeartbleed OpenSSL Exploit: Wikipedia🎙About Steve Giguere:⁠⁠⁠⁠Website: stevegiguere.comLinkedIn: Steve GiguereBook: Cloud Native Application Protection Platforms – O'ReillyPersonal Blog: CodifyreTalk Lessons Learned from OSS and GitOps Journey: YouTubeOWASP Lisbon Talk: YouTubeStayWiredIn YouTube Show: StayWiredInDevSecOps Podcast: Spotify

Episode Description

👨🏽‍🚀 Welcome to Episode 06 of "Tech Beats unplugged"

This time, we’re diving headfirst into 𝐭𝐡𝐞 𝐜𝐫𝐚𝐳𝐢𝐞𝐬𝐭 𝐆𝐢𝐭𝐇𝐮𝐛 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐬𝐭𝐨𝐫𝐢𝐞𝐬, and who better to join us than Steve Giguere, an industry veteran and security expert who’s seen it all.

From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.

🌟 We’re so excited to share our latest tech Beats show with you🧡! Please share away 🤗

We hope you'll enjoy it!!!

Topics discussed:

(00:00) Introduction
(03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)
(09:15) “A workflow is an application within your application” - What does that mean?!
(12:16) Public vs. Private Repos - Are private orgs still at risk?
(18:27) Self-hosted runners: Safe or security nightmare?
(21:16) GitHub Environment Variables - How critical are they?
(22:55) Secrets, masks, and how secure they really are
(28:05) Artifact vs. Caching: Which is safer?
(31:27) Craziest GitHub security screw-ups Steve has ever seen 🔥
(36:42) Common attack vectors in GitHub Actions
(44:19) Best security practices for GitHub Actions - Low-hanging fruit fixes 🍏
(50:22) Are public actions safe? Can they be scanned?
(53:52) xz backdoor fiasco - Lessons from the latest supply chain attack
(59:00) NVD’s slowdown - What’s at stake?