< ciso
brief />
Tag Banner

All news with #pipeline security tag

3 articles

GitHub updates actions/checkout to block pwn requests

🔒 GitHub is updating the official actions/checkout action to refuse common pwn request patterns by default, effective June 18, 2026, with backports planned for July 16, 2026. The change prevents checking out forked pull request head or merge commits in pull_request_target and certain workflow_run events unless authors explicitly set allow-unsafe-pr-checkout to true. This aims to reduce attacks that exploit privileged workflows to steal secrets or the GITHUB_TOKEN.
read more →

Amazon ECS adds pause-and-continue deployment hooks

⏸️ Amazon Elastic Container Service (Amazon ECS) now supports configurable pause points in service deployments, allowing operators to halt progression at critical stages for manual approvals, tests, or operational checks. ECS emits Amazon EventBridge events at pause points and provides the ContinueServiceDeployment API to resume or rollback. Pause hooks support timeouts up to 14 days and configurable timeout actions. The feature integrates with native deployment strategies and is available across commercial and GovCloud Regions.
read more →

Implementing Defense-in-Depth for AWS CodeBuild Pipelines

🔒 This guide consolidates practical recommendations for securing AWS CodeBuild CI/CD pipelines, emphasizing webhook configuration, trust boundaries, and least-privilege access. It warns against automatic pull request builds from untrusted contributors and prescribes push-based, branch-based, and contributor-filtered webhook patterns, plus staged rollout using Infrastructure as Code. Additional safeguards include scoped GitHub tokens, per-build IAM roles, isolated build environments, CloudTrail logging, and manual approval gates for sensitive deployments.
read more →