Chainguard Actions overview

Thu, 18 Jun 2026 00:00:00 +0000

Chainguard Actions are a set of hardened drop-in replacements for popular GitHub Actions. Each action preserves the same inputs and outputs as the upstream version, but has been examined and revised to better protect your CI/CD pipelines from supply chain attacks. The only change in your workflow configuration is the name of the action in the uses: line.

Coverage spans GitHub first-party (actions/*), cloud-provider (aws-actions/*, azure/*, google-github-actions/*), Docker, HashiCorp, and security tools actions (Trivy, Grype, CodeQL, Semgrep), as well as a growing catalog of community actions.

Securing CI/CD with Chainguard

Thu, 30 Apr 2026 12:00:00 +0000

The April 2026 Learning Lab with Erika Heidi goes through how attackers exploit vulnerable GitHub Actions workflows, and how Chainguard can protect your CI/CD pipelines from these threats.

Sections

0:00 Introduction and agenda
5:31 Timeline of CI/CD software supply chain incidents
11:25 Open Source and CI/CD as the new target
12:47 2026: the year of AI-assisted attacks
15:16 Unpacking the Trivy Compromise
19:57 Secret exfiltration live demo
36:17 What could unfold from here
39:04 Strategies to mitigate risks
39:24 Repository inspection for insecure defaults
44:03 Minimize attack surface
48:48 Pull from trusted sources
52:21 Pin by digest
54:28 Use short lived tokens (ban PATs)
55:32 Use Chainguard Actions
58:55 Closing notes

Chainguard Actions on

Chainguard Actions overview

Securing CI/CD with Chainguard

Sections

Resources