DiscoverSecurity Weekly Podcast Network (Audio)Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355
Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355

Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355

Update: 2025-11-04
Share

Description

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs.

Segment Resources:

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-355

Comments 
In Channel
Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355

Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355

2025-11-0401:08:08

Transforming Frontline Workflows with Passwordless Access, AI costs, and the News - Joel Burleson-Davis - ESW #431

Transforming Frontline Workflows with Passwordless Access, AI costs, and the News - Joel Burleson-Davis - ESW #431

2025-11-0301:41:46

AI Cheating?, O, Canada, npms, passkeys, Exchange, Solaris, the amazing Rob Allen - Rob Allen - SWN #525

AI Cheating?, O, Canada, npms, passkeys, Exchange, Solaris, the amazing Rob Allen - Rob Allen - SWN #525

2025-10-3132:25

Cybersecurity Is Dead - PSW #898

Cybersecurity Is Dead - PSW #898

2025-10-3002:03:55

Emergence of the Chief Trust Officer as CISOs Earn Business Respect and Agenda Shifts - Jeff Pollard - BSW #419

Emergence of the Chief Trust Officer as CISOs Earn Business Respect and Agenda Shifts - Jeff Pollard - BSW #419

2025-10-2901:00:15

Lockpick chaos, CoPhish, Atlas, Turing, ForumTroll, PKD, Kilgore Trout, Aaran Leyland - SWN #524

Lockpick chaos, CoPhish, Atlas, Turing, ForumTroll, PKD, Kilgore Trout, Aaran Leyland - SWN #524

2025-10-2834:35

Quantum Computing Isn’t A Threat To Blockchains - Yet - Martha Bennett, Sandy Carielli - ASW #354

Quantum Computing Isn’t A Threat To Blockchains - Yet - Martha Bennett, Sandy Carielli - ASW #354

2025-10-2858:52

Securing AI Agents with Dave Lewis, Enterprise News, and interviews from Oktane 2025 - Mike Poole, Conor Mulherin, Dave Lewis - ESW #430

Securing AI Agents with Dave Lewis, Enterprise News, and interviews from Oktane 2025 - Mike Poole, Conor Mulherin, Dave Lewis - ESW #430

2025-10-2701:39:12

Robo Bees, side, AI Risk, Red Tiger, SessionReaper, Bad Bots, Willow, Josh Marpet - SWN #523

Robo Bees, side, AI Risk, Red Tiger, SessionReaper, Bad Bots, Willow, Josh Marpet - SWN #523

2025-10-2432:35

Its Always DNS - PSW #897

Its Always DNS - PSW #897

2025-10-2302:04:27

Security That Sticks: Shaping Human Behavior - Rinki Sethi, Nicole Jiang - BSW #418

Security That Sticks: Shaping Human Behavior - Rinki Sethi, Nicole Jiang - BSW #418

2025-10-2201:03:00

The Afterlife, AWS, ClickFix, Agentic AI, Robot Lumberjacks, Robocalls, Aaran Leyland - SWN #522

The Afterlife, AWS, ClickFix, Agentic AI, Robot Lumberjacks, Robocalls, Aaran Leyland - SWN #522

2025-10-2137:43

Reacting to Ransomware and Setting Secure Defaults - Rob Allen - ASW #353

Reacting to Ransomware and Setting Secure Defaults - Rob Allen - ASW #353

2025-10-2101:03:39

Mitigating attacks against AI-enabled Apps, Replacing the CIA triad, Enterprise News - David Brauchler - ESW #429

Mitigating attacks against AI-enabled Apps, Replacing the CIA triad, Enterprise News - David Brauchler - ESW #429

2025-10-2001:38:26

Erotic Chats, UEFI, F5, Cisco, Doug Sings, Insiders, Lastpass, Sora, Aaran Leyland... - SWN #521

Erotic Chats, UEFI, F5, Cisco, Doug Sings, Insiders, Lastpass, Sora, Aaran Leyland... - SWN #521

2025-10-1735:31

AI, EDR, and Hacking Things - PSW #896

AI, EDR, and Hacking Things - PSW #896

2025-10-1602:04:54

Automating Compliance and Risk with Agentic AI as CISOs (R)Evolve - Trevor Horwitz - BSW #417

Automating Compliance and Risk with Agentic AI as CISOs (R)Evolve - Trevor Horwitz - BSW #417

2025-10-1554:20

Bikers, Apple, Storm-657, Astaroth, EES, Salesforce, Aaran Leyland, and more... - SWN #520

Bikers, Apple, Storm-657, Astaroth, EES, Salesforce, Aaran Leyland, and more... - SWN #520

2025-10-1432:37

Inside the OWASP GenAI Security Project - Steve Wilson - ASW #352

Inside the OWASP GenAI Security Project - Steve Wilson - ASW #352

2025-10-1401:07:32

New book from Dr. Anand Singh, why CISOs buy, and the latest news - Anand Singh - ESW #428

New book from Dr. Anand Singh, why CISOs buy, and the latest news - Anand Singh - ESW #428

2025-10-1301:43:44

loading
Google Play
Download from Google Play
Castbox
Download from App Store
usUnited States
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355

Researching and Remediating RCEs via GitHub Actions - Bar Kaduri, Roi Nisimi - ASW #355