Play all

Intro

What are GitHub workflows?

What are GitHub Actions?

Workflow example

Repository security

Code - Who has access?

Configuring access

From the user

Workflow secrets

Who has access to your secrets?

Your code - Best practices

GitHub Actions Security

Best practice: Run the action inside of a container

Persisting data between runs

Workflow runners - Best practice

Verified Creator

Protective measures

Recommendation

Workflow attack vectors

Forks of public repos

Pull Requests

Common fields

Remediation

Forking actions

Staying up to date

Update action versions

Option 1: Use SHA+Dependabot

Use Dependabot

Keep your forked action up to date

Review before merging

Automation

Pros of forking

Best practices summarized

Description:

Explore GitHub Actions security best practices in this NDC Security 2022 conference talk. Learn how to secure your CI/CD pipelines, manage access control, protect sensitive information, and mitigate potential vulnerabilities in your workflows. Discover techniques for safeguarding repository access, handling workflow secrets, and implementing protective measures for runners. Gain insights into managing fork-based security risks, staying up-to-date with action versions, and leveraging automation for enhanced security. Equip yourself with practical knowledge to strengthen your GitHub Actions security posture without compromising DevOps efficiency.

How to Use GitHub Actions with Security in Mind

NDC Conferences

Add to list

#Conference Talks #NDC Conferences #Programming #Software Development #Version Control #GitHub #Computer Science #DevOps #CI/CD #GitHub Actions #Continuous Deployment #Continuous Integration #Information Security (InfoSec) #Cybersecurity #Access Control #Database Management #Data Persistence

0:00 / 0:00