Platform Engineering

Supply Chain Security in GitHub Actions: Stopping the Next SolarWinds

Use SBOMs, pinned actions, and signed commits in GitHub Actions to guarantee code provenance from commit to container — the cheap version of supply-chain security.

·2 min read·
#GitHubActions#Security#SBOM

SolarWinds didn't happen because attackers were geniuses. It happened because the build pipeline was a trusted black box that nobody could attest to after the fact. GitHub Actions, used carelessly, is exactly the same shape.

Here's the cheap, three-control version of supply-chain security that closes 80% of the gap.

Control 1: Pin every action to a SHA

uses: actions/checkout@v4 resolves to a tag the maintainer can re-point. uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab is immutable. A compromised maintainer cannot retroactively change what you ran.

Dependabot has a package-ecosystem: github-actions mode that opens PRs to bump SHAs while keeping them pinned. There is no excuse for @v4 in 2025.

Control 2: Generate and store an SBOM per artifact

- name: Generate SBOM
  uses: anchore/sbom-action@<sha>
  with:
    image: ${{ env.IMAGE_URI }}
    format: spdx-json
    output-file: sbom.spdx.json

- name: Attach SBOM to image
  run: cosign attest --predicate sbom.spdx.json --type spdx ${{ env.IMAGE_URI }}

The SBOM tells you what's actually in the image. When the next Log4Shell drops, "do we use log4j 2.14?" is a grep against your SBOM archive, not a panicked dependency audit across 60 repos.

Control 3: Sign commits and sign images

  • Commit signing with Sigstore's gitsign ties every commit to a verified human identity, not a Git config string anyone can spoof.
  • Image signing with cosign lets the deployer verify the image was built by your pipeline before it runs:
cosign verify \
  --certificate-identity-regexp 'https://github.com/acme/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  $IMAGE

Wire that into an admission controller (Kyverno, Gatekeeper) and unsigned images simply don't deploy.

What the auditor sees

  • For any deployed artifact: a signed SBOM + provenance attestation chain back to a specific commit SHA, a specific workflow run, and a specific GitHub identity.
  • A negative test: deploying an unsigned image gets rejected, with a screenshot.
  • A Dependabot graph showing actions pinned at SHAs with managed update PRs.

This isn't NSA-grade supply chain security. It's the minimum that turns "we trust GitHub" into "we can prove what we built and who built it." That's the entire SolarWinds gap, closed for the cost of three YAML steps and a Cosign install.

Further reading: SLSA framework.

Closing thought

The SolarWinds-style gap closes with a small set of habits, not a large platform purchase: pin actions by SHA, sign artifacts, attest provenance, and reject anything unsigned at deploy time. None of these are expensive on their own. The cost is consistency — every repo, every workflow, every release.

A minimum viable supply-chain hygiene checklist

  • All GitHub Actions pinned to commit SHA
  • Cosign-signed images required at deploy time
  • SLSA provenance attached to release artifacts
  • Dependabot enabled with auto-merge for low-risk bumps
  • A documented "what we would do on next big GitHub incident" plan
Public profile lookup

Ask AI About the Author

Open this query in ChatGPT, Claude, or Perplexity.

Comments

Comments are open to confirmed email subscribers. Use the email you subscribed with. To edit a comment, delete it and post a new one.

0/2000
Verify:

    Get new field notes by email

    Field notes from someone who ships before they write about it. Sovereign AI, AI-SDLC, DevOps, and what 59 production deployments teach you. No spam. Unsubscribe anytime.

    Related field notes