appsec.fyi · Sources

github.blog

7 curated AppSec resources from github.blog across 5 topics on appsec.fyi.

github.blog

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-28.

Supply Chain 3 Secrets 2 AuthN 1 Fuzzing 1 RCE 1
Date Added Resource Excerpt
2026-04-28 2026Securing the git push pipeline: Responding to a critical remote code execution vulnerabilityRCESupply ChainWriteup of CVE-2026-3854, a critical remote code execution vulnerability in GitHub's `git push` pipeline. The vulnerability allowed arbitrary command execution on the server by crafting a `git push` command with unsanitized push options that manipulated internal metadata, bypassing sandboxing. GitHub deployed a fix within hours to github.com and released patches for GitHub Enterprise Server, recommending immediate upgrades. The investigation found no evidence of exploitation.
2026-04-22 2026What's Coming to Our GitHub Actions 2026 Security RoadmapSupply ChainLibrary for securing GitHub Actions, this roadmap details upcoming features to enhance supply chain security. Key developments include workflow dependency locking with commit SHAs for reproducibility, policy-driven execution protections through rulesets to control triggers and permissions, and scoped secrets to bind credentials to specific contexts, preventing over-permissioning and blurring trust boundaries. Additionally, enterprise-grade endpoint protections are introduced with the Actions Data Stream for visibility and a native egress firewall for control, addressing challenges seen in recent attacks like those on tj-actions/changed-files and Nx.
2026-04-19 2026GitHub Found 39M Secret Leaks in 2024 — The GitHub BlogSecretsLibrary for GitHub Advanced Security, featuring Secret Protection and Code Security, addresses the pervasive issue of exposed secrets, which led to 39 million leaks on GitHub in 2024. It emphasizes built-in push protection for public repositories and introduces affordable standalone products and a free point-in-time scan for organizations to identify and manage secret exposures effectively, partnering with vendors like AWS and Google Cloud Platform to enhance detection accuracy.
2026-04-17 2026Find secrets with GitHub secret risk assessmentSecretsTool for scanning GitHub organizations for secret leaks, providing insights into public exposures, private exposures, and token types. Available on GitHub Team and Enterprise plans starting April 1, 2025, this assessment helps identify affected repositories and the number of secrets leaked per type, offering a clear view of an organization's secret footprint without storing or sharing specific secrets.
2026-04-11 2026Bugs That Survive Continuous FuzzingFuzzingLibrary detailing vulnerabilities that persist despite continuous fuzzing in open-source projects like Gstreamer, Poppler, and Exiv2. It highlights issues arising from insufficient code coverage, unmonitored dependencies (e.g., DjVuLibre in Poppler), and neglected encoding logic, demonstrating the ongoing need for human oversight and expertise beyond automated fuzzing initiatives like OSS-Fuzz.
2026-04-11 2026SLSA 3 Compliance with GitHub Actions and SigstoreSupply ChainLibrary for achieving SLSA 3 compliance, integrating GitHub Actions with Sigstore's Cosign, Fulcio, and Rekor. This solution automates the generation of non-forgeable build provenance for Go projects, enabling verification of software authenticity and build origins. It addresses supply chain security concerns highlighted by incidents like Log4j and Solarwinds, allowing users to audit and replicate builds without managing their own signing keys.
2026-04-11 2026Sign in as anyone: Bypassing SAML SSO authentication with parser differentialsAuthNLibrary for bypassing SAML SSO authentication by exploiting parser differentials in ruby-saml (versions up to 1.17.0), leading to CVE-2025-25291 and CVE-2025-25292. Attackers can craft SAML assertions using a valid signature to achieve account takeover. Researchers discovered that ruby-saml uses both REXML and Nokogiri XML parsers, and exploiting differences in how they process XML allowed for signature verification bypass, as demonstrated against GitLab.