Post Content
GitHub Actions workflows are a prime target for supply chain attacks—from malicious pull requests exfiltrating secrets to compromised dependencies and hijacked tags. In this 15-minute session, we’ll walk through practical, high-impact strategies to protect your CI/CD pipelines, including how to inspect repos for hidden risks, shrink your attack surface, and lock down what your workflows can actually do. Leave with a concrete checklist to harden your workflows today. Stay safe!
𝗦𝗽𝗲𝗮𝗸𝗲𝗿𝘀:
* Erika Heidi
𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻:
This is one of many sessions from the Microsoft Build 2026 event. View even more sessions on-demand and learn about Microsoft Build at https://build.microsoft.com
ODSP938 | English (US) | Developer tools & frameworks, Cloud platform & data
Pre-recorded
#MSBuild
Chapters:
0:00 – Introduction by Erika Heidi and Overview of Talk
00:02:47 – Risks from Secrets Exposure and Write-Capable Tokens
00:03:49 – Preventing Malicious Code Propagation through Protected Branches and Tags
00:04:45 – Reducing Entry Points and Managing Dependencies to Lower Risk
00:05:34 – Removing Unnecessary Runtime and OS-Level Components
00:11:02 – Introducing Digestabot for maintaining up-to-date containers and workflows
00:12:26 – Case study: Trivy incident from PAT exfiltration
00:14:02 – Reducing attack surface and pulling from trusted sources
00:14:41 – Final summary: pin by digest, use Octo-STS, avoid long-lived tokens Read More Microsoft Developer