Michael Goberman
Michael Goberman is the Director of Product Security at Axonius, where he leads the Application Security department. He brings extensive industry experience across a diverse range of cybersecurity roles, demonstrating strong leadership in securing modern enterprise applications and infrastructure.
Session
GitHub Actions have become a critical part of CI/CD pipelines, but do you really know what's happening under the hood?
This talk will break down GitHub Actions concepts, explore their security risks, and highlight how third-party actions in the supply chain can introduce vulnerabilities. We'll examine real-world examples of misconfigurations, critical security risks, and unexpected workflow behaviors that attackers can exploit.
We'll also discuss the recent security issue with tj-actions/changed-files, and we'll analyze how attackers can exploit these risks and what security best practices can help to mitigate them.
Additionally, we'll compare existing security tools, from static analysis scanners to runtime monitoring solutions, and discuss how teams can integrate them into their CI/CD pipelines. Finally, I'll introduce a new tool designed to help identify and analyze transitive actions, making it easier to assess their impact and reduce security risks.
Attendees will gain a deeper understanding of GitHub Actions' security landscape, real-world case studies, and practical techniques for proactively securing their workflows, alongside a new tool to simplify the process.