How to Mitigate the Risk of GitHub Actions
Get highlights of our research into the security of GitHub Actions, and our advice on mitigating the risk. ... Read More
Preview of State of GitHub Actions Security Report: Security of GH Workflows Building Blocks
Understand the security status of GitHub Actions workflows and how to mitigate the risk ... Read More
Security of Custom GitHub Actions
Get details on Legit's research on the security of custom GitHub Actions ... Read More
Announcing The State of GitHub Actions Security Report
Get details on Legit's research on the security of GitHub Actions ... Read More
Using AI to Reduce False Positives in Secrets Scanners
Get an overview of how secrets scanners work, and how Legit is dramatically reducing secret-scanning false positives ... Read More
GenAI-Based Application Security 101
Gain insights into GenAI applications and how they represent an innovative category of technology, leveraging Large Language Models (LLMs) at their core ... Read More
OpenSSF SCM Best Practices Guide Released With Contributions From Legitify
We're thrilled to share that the OpenSSF SCM Best Practices working group has released its SCM Best Practices Guide. This guide is the result of collaborative efforts between Legit Security and several of the industry's top security vendors under the OpenSSF banner to bring this guide to life ... Read More
Legit Security and CrowdStrike: Securing Applications from Code Creation to Cloud Deployment
Cloud environments and the applications running on them present an enormous attack surface that’s frequently exploited. Protecting runtime environments in the cloud is certainly a top concern for any CISO, but solutions that detect and mitigate vulnerabilities in the cloud also bring operational challenges, noise, and remediation obstacles that can ... Read More
How We Found Another GitHub Action Environment Injection Vulnerability in a Google Project
This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository. The previous case where we found vulnerabilities in Firebase repositories can be found here with a detailed explanation of the underline mechanism that allows this type of vulnerabilities. By exploiting this vulnerability an attack could ... Read More
Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable
The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the underlying software development pipelines for projects using GitHub Actions. In this fourth blog covering vulnerable GitHub Actions, we will explore this new technique of artifact poisoning and describe who ... Read More
