- Use Static analysis for GHA to catch security issues: https://github.com/zizmo...

keyle · 2026-05-20T01:41:33 1779241293

The only way to 'harden your github actions' is to not use github actions.

abuani · 2026-05-20T12:22:00 1779279720

Maybe GitHub being popped for their own insecure by design platform, will cause them to reconsider growth at all costs. I know it's wishful thinking, but the amount of security incidents the past few years because of how actions was designed is wild. It would be great for them to finally recognize this and take ownership.

vldszn · 2026-05-20T12:28:23 1779280103

fair point

vldszn · 2026-05-20T02:09:41 1779242981

Makes sense tbh :)

robbiet480 · 2026-05-20T02:14:20 1779243260

Thanks for making me aware of zizmor, just ran and fixed all issues on our core repos.

vldszn · 2026-05-20T02:25:35 1779243935

You are welcome! Recently discovered it and found it genuinely useful. Fixed a bunch of issues in my workflows too :)

bodash · 2026-05-20T09:37:36 1779269856

few more tips here: https://github.com/bodadotsh/npm-security-best-practices

vldszn · 2026-05-20T04:21:37 1779250897

Disabling vscode/cursor extensions auto-updates also makes sense

nottorp · 2026-05-20T11:39:22 1779277162

Can that even be done?

Even if there are knobs you can turn to disable auto updates, does that cover everything that decides to change your software behind your back?

mrgoldenbrown · 2026-05-20T19:41:27 1779306087

On vscode you can control autoupdates. (Still trying to find a way to control zed's overeager updating)

nottorp · 2026-05-21T11:37:11 1779363431

For vscode or for any extension as well?

Are there misbehaving extensions with their own mechanisms?

vldszn · 2026-05-20T20:34:44 1779309284

UPD: disable auto-updates for extensions in VS Code/Cursor!

benoau · 2026-05-20T00:40:56 1779237656

You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.

edited: not "will", may depending on your GHA

vldszn · 2026-05-20T00:43:33 1779237813

Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%

insanitybit · 2026-05-20T02:31:55 1779244315

Yeah, zizmor checks for template injection.

vldszn · 2026-05-20T03:06:55 1779246415

CGamesPlay · 2026-05-20T01:02:24 1779238944

Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.

benoau · 2026-05-20T02:27:18 1779244038

https://github.com/orgs/community/discussions/27065

https://stackoverflow.com/questions/77090044/github-actions-...

https://www.praetorian.com/blog/pwn-request-hacking-microsof...

All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).

theteapot · 2026-05-20T01:42:52 1779241372

I think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...

benoau · 2026-05-20T02:40:07 1779244807

Yes that's it.