This article explores how AI coding agents (GitHub Copilot, Claude Code, etc.) operating in CI/CD environments introduce novel security risks that traditional EDR solutions can't detect. The key insight: these agents have elevated privileges to create branches, open PRs, and execute code based on natural language instructions - but organizations have zero visibility into what they're actually doing behind the scenes.
The post highlights real attack scenarios where agents can be manipulated through behavioral exploitation rather than direct compromise. For example, tricking an agent into generating subtle vulnerabilities in PRs that human reviewers might miss, or having them trigger malicious workflow runs through seemingly innocent issue comments.
Most interesting is the "context gap" problem - traditional security tools see low-level system calls but miss the AI decision chain that led to those actions. When an agent downloads from gist.githubusercontent.com, is it fetching legitimate dependencies or malicious code? Without CI/CD-aware monitoring, you can't tell.
The article is part of a series examining these risks and demonstrating runtime monitoring approaches specific to AI-powered development workflows.
Readit Newskurmiashish commented on AI coding agents in CI/CD pipelines create new attack vectors stepsecurity.io/blog/when... · Posted by u/kurmiashish
@kurmiashish - If you and team are willing share your version without requiring a Step Security subscription today or in the future, happy to archive our repo and redirect users to Step
Thanks again for your timely detection and reporting!
@rahulr0609 https://github.com/step-security/changed-files will forever remain free, and the community can use it without requiring a StepSecurity subscription.
Due to the ongoing security incident involving the tj-actions/changed-files Action, we at StepSecurity have provided a secure, drop-in replacement: step-security/changed-files.
We strongly advise replacing all instances of tj-actions/changed-files in your workflows with our secure alternative: https://github.com/step-security/changed-files
The advertising in this article is making it actively difficult to figure out how to remediate this issue. The "recovery steps" section just says "start our 14 day free trial".
The security industry tolerates self-promotion only to the extent that the threat research benefits everyone.
Thank you, cyrnel, for the feedback! We are trying our best to help serve the community. Now, we have separate recovery steps for general users and our enterprise customers.
Disclaimer: I am a co-founder of StepSecurity.
StepSecurity Harden-Runner detected this security incident by continuously monitoring outbound network calls from GitHub Actions workflows and generating a baseline of expected behaviors. When the compromised tj-actions/changed-files Action was executed, Harden-Runner flagged it due to an unexpected endpoint appearing in the network traffic—an anomaly that deviated from the established baseline. You can checkout the project here: https://github.com/step-security/harden-runner