https://youtu.be/k3DBur7iEHM

Speaker: Amiran AlavidzeAmiran is a passionate product security professional with over 20 years of experience spanning systems engineering, security operations, GRC, and product and application security. As a security engineering leader, he champions a pragmatic, scalable approach to security - where collaboration between security, developer, and platform teams turns security into a business enabler rather than a bottleneck.With a deep understanding of evolving cloud architectures and modern development practices, Amiran focuses on helping organizations align security with velocity, ensuring defenses scale effectively in dynamic environments.An avid supporter of the local security community, he is actively involved with the OWASP Vancouver chapter and DC604 DEFCON group.Talk:If your CI/CD pipelines are built on GitHub Actions, you might be using GitHub Actions secrets to securely store credentials for connecting to your cloud environments. The security model for GitHub Actions secrets is not very intuitive. Many organizations assume that repository and organization-level secrets offer sufficient protection, but in reality these secrets lack granular access controls, exposing organizations to hidden security risks.In this talk, we’ll break down the different types of secrets in GitHub Actions (organization, repository, and environment), the protections they offer, and their limitations. We’ll explore how misconfigurations lead to a false sense of security and discuss a more robust approach using environments and environment protection rules. We’ll also examine OpenID Connect (OIDC) for cloud authentication - where there are no long-lived secrets - but where misconfigurations can still introduce risks, and how environment-based protections help.You’ll leave with a clearer understanding of GitHub Actions secrets, their exposure risks, and practical strategies to better protect cloud permissions of your CI/CD pipelines. Whether you’re securing sensitive credentials or refining your OIDC configurations, this session will equip you with actionable defenses to keep your automation secure at scale.