GitHub Actions: A Cloudy Day for Security

Explore a comprehensive conference talk from NDC Security in Oslo where Sofia Lindqvist examines the security challenges of GitHub Actions when integrated with major cloud providers. Learn how GitHub Actions functions as a CI/CD tool for workflow automation and discover the security implications when connecting to Azure, GCP, and AWS. The presentation details both secure and insecure integration methods, with particular focus on OIDC/federated identity approaches that eliminate the need for secret management. Understand common misconfiguration pitfalls that can lead to lateral movement, privilege escalation, and other vulnerabilities. The talk includes real-world examples of GitHub Actions security vulnerabilities, primarily in Azure integrations, providing practical insights for developers working with cloud deployments and CI/CD pipelines.