Vigilant Research | Supply-Chain

We Scanned GitHub's Top 50K Repos for CI/CD Vulnerabilities — Here's What We Found

A comprehensive guide from Vigilant's security research team. 50,012 repos scanned. 192,776 vulnerabilities found. 40.6% of repos are vulnerable.

50,012 Repos Scanned

40.6% Vulnerable

192,776 Findings

590M+ Downstream Forks

Read the full research →

supply-chain

Research tagged with supply-chain.

Mar 24, 2026 2:14:52 PM

The Software Supply Chain Crisis — 74.5% of Findings Are Unpinned Actions

143,616 of 192,776 CI/CD findings in GitHub's top 50K repos trace to one problem: mutable action tags. One compromised maintainer account. Thousands of repos.

Github Supply-Chain CICD

Read analysis →

Mar 24, 2026 1:41:07 PM

Anatomy of a CI/CD Chain Attack — From Recon to Exfiltration

611 repos in GitHub's top 50K have every ingredient for a full CI/CD compromise — unpinned action, write permissions, dangerous trigger. Here's the 5-step chain attack, mapped to real scan data.

Supply-Chain CICD

Read analysis →