Breaking the Build: How Attackers Abuse GitHub Actions
CVE/FIRST VulnCon 2025 · Main Stage
In his VulnCon talk, "Breaking the Build: How Attackers Abuse GitHub Actions," Jonathan Evans, a GitHub Advisory Coordinator/Curator, meticulously dissects the critical security vulnerabilities inherent in GitHub's popular automation feature. The presentation serves as a stark warning and an essential guide for developers and security professionals leveraging GitHub Actions for their **CI/CD (Continuous Integration/Continuous Deployment)** pipelines. Evans illuminates how seemingly innocuous misconfigurations or a lack of understanding of GitHub Actions' underlying mechanisms can lead to severe security breaches, including the theft of sensitive credentials and widespread supply chain compromise.
AI review
Evans delivers a competent, well-structured survey of GitHub Actions attack surface — expression injection, PPE, and supply chain compromise — grounded in a real incident (the Coinbase/TJ Actions chain) and backed by actual CVEs. The content is accurate, the defensive guidance is practical, and his advisory background gives him credibility on the vulnerability taxonomy. But this is fundamentally a well-executed educational talk, not original research. The attack classes are documented, the Coinbase incident is public record, and the mitigations are GitHub's own published guidance restated…