c0c0n 2026

c0c0n is a 19 years old platform that is aimed at providing opportunities to showcase, educate, understand and spread awareness on Information Security, data protection, and privacy...

Venue & Date

Contact Us

Attacking and Defending GitHub CI CD Pipelines

c0c0n 3-Day Professional Training

Attacking and Defending GitHub CI CD Pipelines

GitHub is where code, identity, automation, and release trust meet. If your org ships software, your GitHub org is part of your production environment.

This training shows how attackers abuse GitHub Actions, runners, tokens, and integrations to compromise builds and releases, then switches to defense with a practical hardening playbook and an organization level security review.

Format: hands-on, scenario-driven, guided labs, plus a capstone.

Course Content

Module 1: GitHub Actions and runner fundamentals
  • GitHub Actions mental model: events, workflows, jobs, steps
  • Hosted runners vs self-hosted runners
  • Runner labels, groups, and isolation boundaries
  • Artifacts, caches, environments, reusable workflows, composite actions
  • Where secrets live and how they flow through pipelines

Lab: Build a mental map of a target GitHub org and identify high value workflow entry points

Module 2: Threat modeling GitHub CI/CD
  • What attackers want from pipelines: tokens, secrets, signing keys, cloud access, release channels
  • Org, team, repo, and environment permissions as trust boundaries
  • Token surface: GITHUB_TOKEN, PATs, fine-grained tokens, deploy keys, app tokens
  • Third-party actions and reusable workflows as dependencies

Lab: Create a CI/CD threat model for a GitHub Actions workflow and assign concrete abuse paths.

Module 3: Recon and initial access paths
  • Enumerating repos, workflows, triggers, and risky patterns
  • Attack surface created by forks, PRs, and automation bots
  • Abuse of misconfigured repo settings and weak governance
  • Practical attacker entry points: compromised accounts, token leaks, malicious action updates

Lab: Identify a viable initial access path into a vulnerable org using only GitHub visible signals.

Module 4: Workflow exploitation techniques
  • Workflow permission pitfalls and over-privileged tokens
  • Expression and context injection patterns
  • Command execution paths via workflow steps and scripts
  • Artifact and cache poisoning strategies
  • Secret exposure via logs, artifacts, and unsafe debugging

Lab: Exploit a vulnerable workflow to gain unauthorized access to secrets and build outputs.

Module 5: Pull request trust boundaries
  • Risk review of common triggers: pull_request, pull_request_target, workflow_run, issue_comment
  • Why untrusted code and privileged contexts collide/li>
  • Safe patterns for CI on forks and external contributions/li>
  • Guardrails for workflow changes and sensitive steps

Lab: Demonstrate a PR-driven abuse path, then refactor the workflow to remove the class of bug.

Module 6: Self-hosted runner compromise and lateral movement
  • Runner placement mistakes that turn CI into an internal pivot box
  • Shared runners and persistent runners as a persistence surface
  • Credential harvesting and network adjacency abuse
  • Designing safer runner topologies
  • When ephemeral runners are worth it

Lab: Compromise a self-hosted runner and show lateral movement. Apply hardening and validate the fix.

Module 7: Release and distribution compromise
  • Compromising tags, releases, and build provenance
  • Abuse paths through GitHub Packages and artifact distribution
  • Backdooring build outputs in ways that look legitimate
  • Protecting releases with review gates and stronger provenance

Lab: Execute a release compromise scenario and then implement a hardened release workflow.

Module 8: Hardening workflows and dependencies
  • Least privilege for workflow permissions and GITHUB_TOKEN
  • Action usage governance: pinning, allowlists, and restricting third-party actions
  • Secrets hygiene: reducing long-lived secrets and tightening scopes
  • Environment protections: approvals, reviewers, and deployment gates

Lab: Convert a risky workflow into a hardened baseline with minimal functionality loss.

Module 9: Secure deployments from GitHub
  • Removing long-lived cloud secrets from pipelines
  • Using short-lived credentials and scoped deployment access
  • Separating build and deploy trust domains
  • Guardrails for production deployments

Lab: Replace long-lived deployment secrets with safer deployment patterns.

Module 10: Organization level security review and hardening workshop

A guided review of a GitHub org with a repeatable checklist and a prioritized hardening plan

Topics covered:

  • Identity and authentication controls
  • Organization policies for GitHub Actions
  • Repository governance and protections for sensitive changes
  • Runner posture review, inventory, isolation, and lifecycle
  • Token governance and permission baselines
What you will learn:

By the end of the training, participants will be able to:

  • Map real GitHub CI/CD attack paths, from initial access to release compromise
  • Identify insecure workflow patterns and fix them using safer defaults
  • Understand GitHub token and secret exposure paths, and reduce blast radius
  • Secure GitHub Actions usage across the org with policies and guardrails
  • Harden self-hosted runners and design safer runner topologies
  • Build an org level security review checklist that can be repeated every quarter
Who should attend

This course is designed for:

  • AppSec engineers and product security teams
  • DevOps, SRE, and platform engineering teams
  • Security engineers responsible for CI/CD and developer platform security
  • Engineering leads and security champions who own build and release pipelines

If you use GitHub Actions for builds, tests, releases, or deployments, this training is relevant.

Prerequisites

You do not need prior CI/CD exploitation experience.

Recommended background:

  • Comfortable reading YAML and following build logs
  • Basic understanding of Git concepts and pull request workflows
  • Familiarity with containers is helpful but not required

We cover all GitHub specific concepts needed for the labs

What to expect in the training
  • Hands-on labs for each module
  • Realistic attack chains that reflect how modern incidents happen
  • Clear defensive remediations and hardening patterns after each offensive technique
  • A repeatable org review and hardening workshop
What not to expect
  • This is not a generic CI/CD course. It focuses only on GitHub.
  • This is not a compliance checklist class. The emphasis is on practical exploitation and practical fixes.
  • This is not a tool marketing session. We focus on primitives, patterns, and repeatable workflows.
Capstone
Full kill chain, then harden and re-test

Participants will:

  • Attack a vulnerable GitHub org and demonstrate end-to-end impact
  • Document the chain as an incident narrative
  • Apply defenses that break the chain
  • Re-test to confirm the fixes
Hands-on labs and environment
  • Labs are designed so a modern browser is sufficient
  • A fresh GitHub organization for exercises : We will provide automation to set things up
  • Optional local tooling is provided for participants who prefer terminal workflows
What participants should bring
  • Laptop with a modern browser
  • A GitHub account preferable atleast 30-45 days old [there are some workflows which github blocks on freshly created accounts]
  • Ability to connect to the internet on the training network
Outcomes for teams

After this training, teams typically walk away with:

  • A GitHub Actions hardening baseline that can be applied across repositories
  • A runner security design that reduces blast radius
  • A repeatable org review checklist and a prioritized hardening backlog
  • Clear decision points on where to invest in guardrails vs process

Trainer

Anant Shrivastava
Anant Shrivastava

Founder

Cyfinoid Research

Training Information

  • Duration 3 Day Training
  • Dates 6th Oct, 2026 to 8th Oct, 2026
  • Time 9:00 AM – 5:30 PM
  • Venue Grand Hyatt, Bolgatty, Kochi, Kerala

Trainings

Oct 6–8 Pre-Conference
T1
Hook, Line, and Sinker: Exploring the Phishing Abyss
T2
Applied Infrastructure Security Assessment
T3
Creating Custom Tooling for Offensive Security after 2025 - Beyond Autopilot Pentesting
T4
Operational Open Source Intelligence (OSINT), From Online Data to Real-World Impact.
T5
AI Security Engineering Masterclass
T6
Practical AI Security: Attacking and Defending LLMs, Agents and MCP
T7
Practical Fuzzing: A Hands-On Learning Experience for Uncovering Vulnerabilities on Linux
T8
Attacking and Defending GitHub CI CD Pipelines
T9
Threat Tradecraft: Infrastructure Hunting & Malware Analysis
T10
Telecom Network Exploitation: Pentesting Across 4G/5G Stacks
T11
Hacking Android, iOS and IoT apps by Example - 2026 Edition
T12
Multi-Cloud Security (AWS, Azure, GCP) - AI Edition
T13
Red Team: Identity Exploitation & Nation-State Implant Tradecraft
T20
Invite Only (For Law Enforcement)
Oct 11–13 Post-Conference
T14
Hack the IoT
T15
Automotive Security in Practice: Exploitation, Risk Assessment & CAN IDS!
T16
HuntOps: From Telemetry to Adversary Detection
T17
HackTheWeb: Pentest Smarter with AI
T18
Weaponizing Defense: Attacking Windows 11 Kiosks Using Enterprise Hardening Solutions
T19
The Art of Finding Bugs: Advanced Techniques in Vulnerability & 0-Day Research

Register Now