c0c0n 2026

c0c0n is a 19 years old platform that is aimed at providing opportunities to showcase, educate, understand and spread awareness on Information Security, data protection, and privacy...

Venue & Date

Contact Us

Attacking and Defending GitHub CI CD Pipelines

c0c0n 3-Day Professional Training

Attacking and Defending GitHub CI CD Pipelines

GitHub is where code, identity, automation, and release trust meet. If your org ships software, your GitHub org is part of your production environment.

This training shows how attackers abuse GitHub Actions, runners, tokens, and integrations to compromise builds and releases, then switches to defense with a practical hardening playbook and an organization level security review.

Format: hands-on, scenario-driven, guided labs, plus a capstone.

Course Content

Module 1: GitHub Actions and runner fundamentals
  • GitHub Actions mental model: events, workflows, jobs, steps
  • Hosted runners vs self-hosted runners
  • Runner labels, groups, and isolation boundaries
  • Artifacts, caches, environments, reusable workflows, composite actions
  • Where secrets live and how they flow through pipelines

Lab: Build a mental map of a target GitHub org and identify high value workflow entry points

Module 2: Threat modeling GitHub CI/CD
  • What attackers want from pipelines: tokens, secrets, signing keys, cloud access, release channels
  • Org, team, repo, and environment permissions as trust boundaries
  • Token surface: GITHUB_TOKEN, PATs, fine-grained tokens, deploy keys, app tokens
  • Third-party actions and reusable workflows as dependencies

Lab: Create a CI/CD threat model for a GitHub Actions workflow and assign concrete abuse paths.

Module 3: Recon and initial access paths
  • Enumerating repos, workflows, triggers, and risky patterns
  • Attack surface created by forks, PRs, and automation bots
  • Abuse of misconfigured repo settings and weak governance
  • Practical attacker entry points: compromised accounts, token leaks, malicious action updates

Lab: Identify a viable initial access path into a vulnerable org using only GitHub visible signals.

Module 4: Workflow exploitation techniques
  • Workflow permission pitfalls and over-privileged tokens
  • Expression and context injection patterns
  • Command execution paths via workflow steps and scripts
  • Artifact and cache poisoning strategies
  • Secret exposure via logs, artifacts, and unsafe debugging

Lab: Exploit a vulnerable workflow to gain unauthorized access to secrets and build outputs.

Module 5: Pull request trust boundaries
  • Risk review of common triggers: pull_request, pull_request_target, workflow_run, issue_comment
  • Why untrusted code and privileged contexts collide/li>
  • Safe patterns for CI on forks and external contributions/li>
  • Guardrails for workflow changes and sensitive steps

Lab: Demonstrate a PR-driven abuse path, then refactor the workflow to remove the class of bug.

Module 6: Self-hosted runner compromise and lateral movement
  • Runner placement mistakes that turn CI into an internal pivot box
  • Shared runners and persistent runners as a persistence surface
  • Credential harvesting and network adjacency abuse
  • Designing safer runner topologies
  • When ephemeral runners are worth it

Lab: Compromise a self-hosted runner and show lateral movement. Apply hardening and validate the fix.

Module 7: Release and distribution compromise
  • Compromising tags, releases, and build provenance
  • Abuse paths through GitHub Packages and artifact distribution
  • Backdooring build outputs in ways that look legitimate
  • Protecting releases with review gates and stronger provenance

Lab: Execute a release compromise scenario and then implement a hardened release workflow.

Module 8: Hardening workflows and dependencies
  • Least privilege for workflow permissions and GITHUB_TOKEN
  • Action usage governance: pinning, allowlists, and restricting third-party actions
  • Secrets hygiene: reducing long-lived secrets and tightening scopes
  • Environment protections: approvals, reviewers, and deployment gates

Lab: Convert a risky workflow into a hardened baseline with minimal functionality loss.

Module 9: Secure deployments from GitHub
  • Removing long-lived cloud secrets from pipelines
  • Using short-lived credentials and scoped deployment access
  • Separating build and deploy trust domains
  • Guardrails for production deployments

Lab: Replace long-lived deployment secrets with safer deployment patterns.

Module 10: Organization level security review and hardening workshop

A guided review of a GitHub org with a repeatable checklist and a prioritized hardening plan

Topics covered:

  • Identity and authentication controls
  • Organization policies for GitHub Actions
  • Repository governance and protections for sensitive changes
  • Runner posture review, inventory, isolation, and lifecycle
  • Token governance and permission baselines

Trainer

Anant Shrivastava
Anant Shrivastava

Founder

Cyfinoid Research

Training Information

  • Duration 3 Day Training
  • Dates 6th Oct, 2026 to 8th Oct, 2026
  • Time 9:00 AM – 5:30 PM
  • Venue Grand Hyatt, Bolgatty, Kochi, Kerala

Register Now