Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Git

appknox

GitHub Repository Code Stealing Continues: Reported By Slack

Slack is a very popular corporate messaging app with 20 million daily active users. They recently announced suffering from a data breach on their code repository on Github. Ever since layoff has become a trend or a harsh reality, the world of cybercrime has become proactive as a company experiencing a layoff may have less resources to devote to cybersecurity, making it a more vulnerable target for cybercriminals.

nightfall

2022 in Review: 4 Lessons We've Learned from 2022's Largest GitHub Breaches

2022 revealed that security challenges remain for organizations leveraging GitHub. Between supply chain attacks, API key leaks, and other security risks, there are plenty of lessons and takeaways from this year’s GitHub-related headlines. In this post, we’ve rounded up and categorized the year’s largest GitHub stories. Read on to learn more about the types of security risks occurring in GitHub and the lessons you’ll want to take with you into 2023 and beyond.

CrowdStrike

"Gitting" the Malware: How Threat Actors Use GitHub Repositories to Deploy Malware

The CrowdStrike Falcon Complete™ managed detection and response (MDR) team recently uncovered a creative and opportunistic interpretation of a watering hole attack that leverages GitHub to gain access to victim organizations. In the observed cases, there were no phishing emails, no exploitation of public-facing vulnerabilities, no malvertising and no compromised credentials.

sysdig

Image Scanning with GitHub Actions

Scanning a container image for vulnerabilities or bad practices on your GitHub Actions using Sysdig Secure is a straightforward process. This article demonstrates a step-by-step example of how to do it. The following proof of content showcased how to leverage the sysdig-cli-scanner with GitHub Actions. Although possible, it is not officially supported by Sysdig, so we recommend checking the documentation to adapt these steps to your environment.

Snyk

Rediscovering argument injection when using VCS tools - git and mercurial

One of the main goals for this research was to explore how it is possible to execute arbitrary commands even when using a safe API that prevents command injection. The focus will be on Version Control System (VCS) tools like git and hg (mercurial), that, among some of their options, allow the execution of arbitrary commands (under some circumstances). The targets for this research are web applications and library projects (written in any programming language) that call these commands using a safe API.

SecDevOps & LimaCharlie: Automating and auditing of Github access.

LimaCharlie's Security Infrastructure as a Service (SIaaS) approach makes it ideal for securing your CI/CD pipeline and building security solutions that make sense for you. In this video LimaCharlie founder and CEO, Maxime Lamothe-Brassard, walks through various ways to visibility and add layers of protection to your development process.
Snyk

Building a secure CI/CD pipeline with GitHub Actions

GitHub Actions has made it easier than ever to build a secure continuous integration and continuous delivery (CI/CD) pipeline for your GitHub projects. By integrating your CI/CD pipeline and GitHub repository, GitHub Actions allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository or deploy merged pull requests to production.

mend

3 New GitHub Features to Reinforce Your Code, Repo, and Dependency Security

Developers love GitHub. It’s the biggest and most powerful collaboration platform that programmers, developers, and companies use to develop and maintain their software. It’s the biggest source code host with more than 200 million repositories. And it keeps growing. In 2021, more than 73 million developers used GitHub. It gained over 16 million new users in 2021 alone, and GitHub estimates that user numbers will increase to 100 million developers in the next five years.