3 Ways to Secure Your GitHub Workflows from Malicious Pull RequestsDon't get hacked. Implement these best practices today to safely handle pull requests from forks without disabling your automations.
Secure your GitHub Actions. Learn 3 essential mitigation techniques: checking PR origins, using manual approval labels, and gating jobs with environments.
Am I Vulnerable? How to Audit Your GitHub Actions for the pull_request_target FlawA practical guide to finding and fixing the common misconfiguration that allows untrusted code to run with privileged access.
Audit your GitHub workflows for a critical security flaw. This guide helps you identify if your use of `pull_request_target` is checking out untrusted code.
From Fork to RCE: Deconstructing the Orca Security GitHub Actions ExploitFollowing the attacker's path, from creating a malicious fork to exfiltrating API keys and pushing code to protected branches.
A step-by-step breakdown of the 'Pull Request Nightmare' exploit. See how attackers leverage `pull_request_target` to achieve RCE and steal secrets.
GitHub Actions Best Practices: Securing Your CI/CD PipelineBeyond just one vulnerability, here are the essential cybersecurity practices every developer must follow for their workflows.
Harden your CI/CD pipeline. This guide covers GitHub Actions cybersecurity best practices, from scoping permissions to managing secrets and secure triggers.
How to Safely Label Pull Requests Without Exposing Your Repo to AttackThe `pull_request_target` trigger is necessary for labeling, but it's also a risk. Here's how to configure it correctly.
Need to auto-label PRs from forks? Learn the safe way to configure your `pull_request_target` workflow to prevent it from ever executing untrusted code.
Patching Your Workflows: A Simple 'if' Statement to Prevent GitHub Actions HacksHow to apply the simple, effective fix that stops malicious forked PRs from running privileged code in your repository.
Fix the `pull_request_target` vulnerability now. Learn how one `if` statement can check if a PR is from a fork and prevent a major security breach.
pull_request vs. pull_request_target: The GitHub Actions Trigger Hiding a Security NightmareUnderstanding the critical difference between these two triggers and why one could give attackers RCE on your repository.
Learn the security-critical distinction between `pull_request` and `pull_request_target` in GitHub Actions. One is safe for forks, the other could expose your secrets and code.
The 'Pull Request Nightmare': How RCE Was Found in Google & Microsoft ReposA deep dive into the critical security flaw discovered by Orca Security (roin-orca) and how it turned simple PRs into critical threats.
Explore the `pull_request_target` vulnerability found by Orca Security. See how Fortune-100 companies were exposed to RCE from a single malicious pull request.
The Self-Hosted Runner Risk: Why the pull_request_target Flaw is Even WorseWhen an attacker can run code on your own infrastructure, the damage goes far beyond just a compromised repository.
Discover the heightened risks of the `pull_request_target` vulnerability on self-hosted runners, from lateral movement in your cloud to cryptomining.