my job?

Reply to my job? on Tue, 07 Apr 2026 18:22:14 GMT

yossarian@infosec.exchange — Tue, 07 Apr 2026 18:22:14 GMT

@caspicat I actually hadn't seen this, but I'm not sure how it makes GH's own runners untrustworthy? it's definitely a (bad) operational error, but AFAICT it doesn't change the platform's security posture significantly

Reply to my job? on Tue, 07 Apr 2026 17:58:10 GMT

caspicat@infosec.exchange — Tue, 07 Apr 2026 17:58:10 GMT

@yossarian btw have you seen this? Old news, but not sure if this was widely discussed. TL;DR You can't trust GitHub runner images

How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners - StepSecurity

Microsoft Defender was unexpectedly installed on multiple workflow runs from mid-July through mid-August, causing abnormal network traffic. StepSecurity Harden Runner detected this infrastructure anomaly within hours, and GitHub Support has since resolved the issue

(www.stepsecurity.io)

No SBOMs released for affected images during that window
https://github.com/actions/runner-images/releases

Reply to my job? on Tue, 07 Apr 2026 17:48:24 GMT

yossarian@infosec.exchange — Tue, 07 Apr 2026 17:48:24 GMT

my list got cut off