Supply Chain Security and the Real World: Lessons From Incidents

One leaked secret in a Docker image compromised thousands of CI/CD pipelines. This talk dissects real-world breaches to show you how to truly secure your supply chain.

#1about 6 minutes

Moving beyond abstract security metaphors and vague advice

Security advice often relies on unhelpful abstractions, but real-world incidents provide concrete, actionable guidance for developers.

#2about 3 minutes

Analyzing the Codecov breach and its attack vector

The Codecov breach occurred when a secret in a Docker image led to a modified script that exfiltrated CI/CD environment variables.

#3about 5 minutes

Securing Docker builds and verifying script downloads

Prevent secret leaks in Dockerfiles by using the `--secret` flag and always verify downloaded scripts with checksums or GPG signatures.

#4about 2 minutes

The risks of storing secrets in environment variables

Storing secrets in environment variables makes them easy to exfiltrate, so prefer identity federation, secret managers, or temporary files instead.

#5about 5 minutes

Deconstructing the `changed-files` GitHub Action attack

A compromised dependency (`reviewdog`) was used to inject malicious code into the `changed-files` action, targeting Coinbase in a multi-stage attack.

#6about 2 minutes

Hardening GitHub repositories and pinning dependencies

Mitigate attacks by enforcing commit signing, restricting tag updates, and pinning GitHub Actions to a specific content digest.

#7about 2 minutes

Replacing long-lived credentials with short-lived tokens

Eliminate a common attack vector by replacing long-lived credentials with short-lived tokens generated via identity federation like OIDC.

#8about 1 minute

Summary of actionable supply chain security advice

A final recap covers key actions like verifying downloads, avoiding secrets in environment variables, pinning actions, and using short-lived credentials.