Vulnerability analysis, attack techniques, and practical security engineering from the field.
In early 2025, a supply chain attack on popular GitHub Actions exfiltrated secrets from thousands of CI/CD pipelines. Static secrets meant those credentials were live until someone noticed and rotated them. Dynamic secrets with a 1-hour TTL would have expired before most teams knew there was an incident.
You can restrict GCP Workload Identity Federation by GitHub actor_id — but hardcoding IDs breaks every time someone joins or leaves the team. Here's how to drive those IDs from a GitHub team using Terraform data sources, with a GitHub App that keeps them in sync automatically.
A container is just a process with restricted syscalls and a chroot. The restrictions are good when configured correctly, and nearly meaningless when they're not. Here's how escapes actually work and what stops them.
Terraform state contains every resource attribute at creation time — database passwords, private keys, API tokens — in plaintext. Most teams store it in a GCS bucket with permissions that would make a security reviewer cry.
Long-lived cloud credentials stored in GitHub secrets are a liability. OIDC lets your workflows authenticate to GCP, AWS, npm, and PyPI using a short-lived cryptographically signed token — no stored secrets required.
Every engagement starts the same way: figure out what's actually exposed. After the tenth time writing the same ad hoc TLS probe, we built Beacon.
I've reviewed a lot of GKE clusters. The RBAC findings are almost identical every time — not because teams are careless, but because Kubernetes makes it genuinely easy to get this wrong.
The risks that survive the longest in CI/CD environments aren't sophisticated. They're just unreviewed. Here's what I keep finding — and why it matters more than most teams realize.