u/asadeddin

One of the biggest challenges a lot of security teams face is reducing their vulnerability backlogs. Developers often aren't picking up tickets and things get stale pretty quickly. I wanted to build a way for teams heavily using coding agents to fix backlog items on a continuous basis, so I created this DIY Patch Tuesday agent in Cursor and Corgea. This can use any code automation tool like Claude Code, Codex or any security tool that supports an MCP or CLI like Semgrep, Snyk, etc.

I like this approach because it delivers fixes in a familiar format that developers have started trusting more which is their own coding agents, and it blurs the line between security and development in a positive way. What do you all think of this approach?

https://www.youtube.com/watch?v=dMoof9u4oQo

We've all been seeing the news and it's clear that GitHub Actions isn’t just CI anymore. It's now part of your supply chain. It builds packages, publishes releases, deploys infra, and often has access to the credentials attackers want.

We put together a practical checklist for locking it down, but the highest-impact controls are pretty simple:

1. Set default GITHUB_TOKEN permissions to read-only.
2. Pin third-party actions to full commit SHAs, not tags like u/v4.
3. Be very careful with pull_request_target, especially on public repos and fork PRs.
4. Treat PR titles, branch names, issue bodies, labels, comments, and commit messages as untrusted input.
5. Use OIDC for cloud access instead of long-lived AWS/GCP/Azure secrets.
6. Don’t put untrusted code and privileged credentials in the same workflow context.
7. Avoid broad artifact uploads like path: ..
8. Don’t use self-hosted runners for public repos unless you really know what you’re doing.
9. Add CODEOWNERS/review requirements for .github/workflows/.
10. Continuously lint workflow YAML for risky triggers, unpinned actions, and script injection.

Full checklist here:
https://corgea.com/learn/github-actions-security-checklist