appsec.fyi · Sources

github.blog

12 curated AppSec resources from github.blog across 9 topics on appsec.fyi.

github.blog

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-11.

Supply Chain 5 Secrets 3 AI 2 API Sec 1 AuthN 1 AuthZ 1 Bug Bounty 1 Fuzzing 1 RCE 1
Date Added Resource Excerpt
2026-06-11 2026Dedicated security review command now available in Copilot CLIAPI SecLibrary for AI-driven security reviews via GitHub Copilot CLI. The experimental `/security-review` command analyzes local code changes directly in the terminal, flagging high-confidence findings and offering actionable suggestions for vulnerabilities like injection flaws, XSS, insecure data handling, path traversal, and weak cryptography. This tool complements existing GitHub security features by providing a lightweight, on-demand scan before commits.
2026-06-08 2026How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered frameworkAIAuthZSecretsFramework automating security vulnerability detection using AI-powered taskflows. It breaks down code repositories into components, gathers contextual information through threat modeling, and then uses LLMs to suggest and audit potential vulnerabilities, focusing on high-impact issues like authorization bypasses and information disclosure. The framework is open-source and requires a GitHub Copilot license for execution.
2026-06-08 2026A year of open source vulnerability trends: CVEs, advisories, and malwareSupply ChainAnalysis of 2025 open-source vulnerability trends reveals a significant increase in npm malware advisories, including campaigns like SHA1-Hulud, and a 35% surge in CVE records published by GitHub's CNA. While reviewed advisories decreased, newly reported vulnerabilities increased, with cross-site scripting (CWE-79) remaining prevalent, alongside notable rises in resource exhaustion (CWE-400, CWE-770), unsafe deserialization (CWE-502), and server-side request forgery (CWE-918). CWE tagging became more specific, improving triage accuracy, and the use of CVSS and EPSS scoring is recommended for prioritizing responses to vulnerabilities like CWE-863 ("Incorrect Authorization").
2026-06-08 2026Securing the open source supply chain across GitHubSupply ChainLibrary for securing open source supply chains, focusing on GitHub Actions. It details how to enable CodeQL for workflow reviews, implement best practices like pinning third-party Actions to SHAs and avoiding `pull_request_target` triggers, and leverage OpenID Connect tokens for authorization instead of secrets. The library also highlights GitHub's partnership with OpenSSF for trusted publishing across npm, PyPI, NuGet, RubyGems, and Crates, and discusses ongoing efforts in malware detection and response to evolving threats like Shai-Hulud.
2026-06-08 2026Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code GameAIBug BountyLibrary for learning agentic AI security skills by exploiting and fixing intentionally vulnerable code. Season 4 of the GitHub Secure Code Game places participants in ProdBot, a simulated AI assistant, to discover vulnerabilities mirroring real-world risks like goal hijacking and tool misuse. The game progresses through five levels, introducing capabilities like bash command execution, web browsing, tool integration, and multi-agent workflows, allowing players to practice identifying and mitigating threats akin to CVE-2026-25253.
2026-04-28 2026Securing the git push pipeline: Responding to a critical remote code execution vulnerabilityRCESupply ChainWriteup of CVE-2026-3854, a critical remote code execution vulnerability in GitHub's `git push` pipeline. The vulnerability allowed arbitrary command execution on the server by crafting a `git push` command with unsanitized push options that manipulated internal metadata, bypassing sandboxing. GitHub deployed a fix within hours to github.com and released patches for GitHub Enterprise Server, recommending immediate upgrades. The investigation found no evidence of exploitation.
2026-04-22 2026What's Coming to Our GitHub Actions 2026 Security RoadmapSupply ChainLibrary for securing GitHub Actions, this roadmap details upcoming features to enhance supply chain security. Key developments include workflow dependency locking with commit SHAs for reproducibility, policy-driven execution protections through rulesets to control triggers and permissions, and scoped secrets to bind credentials to specific contexts, preventing over-permissioning and blurring trust boundaries. Additionally, enterprise-grade endpoint protections are introduced with the Actions Data Stream for visibility and a native egress firewall for control, addressing challenges seen in recent attacks like those on tj-actions/changed-files and Nx.
2026-04-19 2026GitHub Found 39M Secret Leaks in 2024 — The GitHub BlogSecretsLibrary for GitHub Advanced Security, featuring Secret Protection and Code Security, addresses the pervasive issue of exposed secrets, which led to 39 million leaks on GitHub in 2024. It emphasizes built-in push protection for public repositories and introduces affordable standalone products and a free point-in-time scan for organizations to identify and manage secret exposures effectively, partnering with vendors like AWS and Google Cloud Platform to enhance detection accuracy.
2026-04-17 2026Find secrets with GitHub secret risk assessmentSecretsTool for scanning GitHub organizations for secret leaks, providing insights into public exposures, private exposures, and token types. Available on GitHub Team and Enterprise plans starting April 1, 2025, this assessment helps identify affected repositories and the number of secrets leaked per type, offering a clear view of an organization's secret footprint without storing or sharing specific secrets.
2026-04-11 2026Bugs That Survive Continuous FuzzingFuzzingLibrary detailing vulnerabilities that persist despite continuous fuzzing in open-source projects like Gstreamer, Poppler, and Exiv2. It highlights issues arising from insufficient code coverage, unmonitored dependencies (e.g., DjVuLibre in Poppler), and neglected encoding logic, demonstrating the ongoing need for human oversight and expertise beyond automated fuzzing initiatives like OSS-Fuzz.
2026-04-11 2026SLSA 3 Compliance with GitHub Actions and SigstoreSupply ChainLibrary for achieving SLSA 3 compliance, integrating GitHub Actions with Sigstore's Cosign, Fulcio, and Rekor. This solution automates the generation of non-forgeable build provenance for Go projects, enabling verification of software authenticity and build origins. It addresses supply chain security concerns highlighted by incidents like Log4j and Solarwinds, allowing users to audit and replicate builds without managing their own signing keys.
2026-04-11 2026Sign in as anyone: Bypassing SAML SSO authentication with parser differentialsAuthNLibrary for bypassing SAML SSO authentication by exploiting parser differentials in ruby-saml (versions up to 1.17.0), leading to CVE-2025-25291 and CVE-2025-25292. Attackers can craft SAML assertions using a valid signature to achieve account takeover. Researchers discovered that ruby-saml uses both REXML and Nokogiri XML parsers, and exploiting differences in how they process XML allowed for signature verification bypass, as demonstrated against GitLab.