DevOps Videos

All News Deals Social Blogs Videos Podcasts Digests

DevOps Cybersecurity

📱 Defending GitHub Actions: Security Analysis with GASA

•May 28, 2026

Bret Fisher Docker and DevOps

Bret Fisher Docker and DevOps•May 28, 2026

Why It Matters

GASA helps organizations quickly assess and remediate systemic GitHub Actions misconfigurations at scale, lowering CI/CD and supply-chain attack risk. By surfacing admin-level settings often missed by other tools, it fills a gap in posture management for enterprises with many repositories.

Summary

A developer has built GASA, a Golang-based GitHub Actions Security Analyzer that inspects repository, organization, enterprise and personal admin settings to identify risky Actions configurations. Unlike typical linters, GASA focuses on admin permissions and settings—flagging issues such as use of pull_request_target, lax permissions, and unpinned action hashes. The tool is currently private and early-stage; the author plans releases and possible GitHub Action integration but cautions about exposing sensitive findings publicly. GASA emerged from a community effort focused on automating DevOps and security checks for large multi-repo environments.

Original Description

I built a thing to help our #GitHubActions Security, but was that a good idea?

🙌 I've launched the Agentic DevOps Guild, which is my premium community for accelerating your AI adoption for DevOps, CI/CD, platform engineering, and SRE. It includes courses, regular meetups, workshops, and mentorship. 🍾 https://www.bretfisher.com/theguild

🗞️ Sign up for my weekly newsletter for the latest on upcoming guests and what I'm releasing: https://www.bretfisher.com/newsletters/cloud-native-devops

Comments

Want to join the conversation?

Loading comments...