Secure your pipelines with Chainguard Actions, now available in Open Beta
Today, Chainguard Actions is available in Open Beta, giving teams self-serve access to try the largest catalog of hardened, verified GitHub Actions directly through GitHub.
With this release, teams can replace popular GitHub Actions with hardened versions, request new Actions with a one-day SLA, and use the Chainguard Actions migration skill to inventory their Actions usage and automate migration.
High privilege, high risk
GitHub Actions have become the backbone of modern CI/CD, and are highly privileged. As the components of the pipelines that build, test, and release software, they have access to source code, tokens, cloud credentials, and release infrastructure. These deeply privileged, automated workflows have become ideal supply chain attack targets in an AI age where the cost and expertise required to carry out scaled malicious attacks have fallen dramatically.
Without a trusted source for GitHub Actions, every new action pulled from the GitHub Marketplace introduces additional risk to an organization’s most privileged systems. Recent attacks have shown how GitHub Actions and release workflows can be used to expose secrets, pull credential-stealing malware, and publish poisoned packages. Some of these include:
Trivy: Compromised trivy-action and setup-trivy references caused CI/CD pipelines to pull credential-stealing malware from tags developers already trusted.
Mini Shai-Hulud: GitHub Actions release workflows were used to publish poisoned packages and expose GitHub, cloud, and CI/CD secrets.
tj-actions: Attackers compromised tj-actions/changed-files, a GitHub Action used by 23,000+ repositories, causing CI/CD secrets to be printed into workflow logs.
Because attackers use AI to target every layer of the SDLC, AI readiness and velocity must extend to the pipelines that build, test, and release software.
Chainguard offers the most comprehensive catalog of secure open source available wherever engineers and AI agents need it. With Chainguard Actions, that model now extends to CI/CD, so teams and agents can keep using the GitHub Actions they rely on while quickly reducing risk and avoiding extra manual review work for security teams.
From vulnerable to hardened
See how Chainguard takes a popular Action with a real script injection vulnerability and hardens it into a drop-in replacement that’s safe to run in your workflows.
What's new in the Open Beta of Chainguard Actions
Chainguard Actions give engineers a trusted way to consume popular GitHub Actions without asking security teams to manually inspect, approve, and maintain every Action themselves.
Each Chainguard Action is continuously verified and hardened, so security engineers aren’t scrambling when actions-based attacks hit. They also get an auditable record for each action of what vulnerabilities were found and removed, so they can verify and prove their pipeline integrity.
The open beta builds on that foundation with three additions designed to make trusted Actions safer to adopt at scale: self-serve access to 500+ Actions, a one-day SLA for new requests, and an automated migration skill.
Broad coverage out of the box
The GitHub Marketplace gives developers an Action for almost everything. Chainguard Actions makes that breadth safer to adopt, with the last 5 versions of 500+ Actions hardened and available through GitHub on day one.
Each Chainguard Action has been run through a multi-layer hardening pipeline that combines rule-based analysis with AI-augmented review. When findings are detected, the action’s .yaml file is rewritten to remove unsafe patterns such as script injection risks, insecure environment variable handling, and unsafe command interpolation while preserving expected functionality. Every action is re-secured quickly as upstream versions ship and new attack patterns are identified, so your pipelines stay protected today and tomorrow.
Continuous protection, without gaps
As teams scale, developers and AI agents create new workflows, adopt new tools, and need new Actions. A trusted catalog has to keep up with that demand seamlessly.
That is why Chainguard Actions includes a one-day SLA for new Action requests. If an Action is not already in the catalog, engineers can request it by filing a GitHub Issue, and Chainguard will harden and make it available within one business day.
This keeps coverage from becoming uneven or from slowing teams down. New and infrequently used Actions can be brought into the same hardened, verified model as the rest of the catalog, reducing long-tail CI/CD supply chain risk without requiring security teams to maintain forks, track upstream changes, or manually re-review each Action over time.
Faster migration
Many teams struggle to quickly identify what Actions are actually running across their workflows. The Chainguard Actions migration skill can not only help you quickly do that, but it also automates migration.
After getting the skill from the Chainguard Agent Skills registry, point it at a repo or org, and it generates a report that details which actions you are using, their versions, and how many workflows they’re in.
From there, the skill can create a PR to swap every eligible Action to its hardened equivalent, with the option to merge automatically. Whether you're securing one repo or an entire org, the skill handles the heavy lifting so you can stay focused on shipping your roadmap.
Get started with Chainguard Actions
As attacks and the volume of code being shipped increase, teams need a trusted source for open source that encompasses the breadth of the software supply chain. Chainguard is built to provide exactly that.
With last week’s announcement of Chainguard Agent Skills and the open beta of Chainguard Actions, engineers and AI agents are able to build more safely across the modern SDLC, from the skills that help create and maintain software to the pipelines that software flows through on its way to production. End-to-end, Chainguard is your secure source for open source.
Ready to try Chainguard Actions for yourself? Quickstart your 30-day free trial of Chainguard Actions with the Chainguard Actions Migration Skill to inventory what's running in your workflows and automate your migration. Want to learn more about getting started with Chainguard Actions? Check out the documentation or book time with our team.
Share this article
Articles connexes
- produit
Securing the AI coding ecosystem: Chainguard and the AI tools developers use
Matt Stead, Product Marketing Manager
- produit
Adopt hardened containers without changing your pipelines, tooling, or environment
Mandy Hubbard, Sr. Technical Product Marketing Manager
- produit
Chainguard plug-in now available on Cursor Marketplace
Matt Stead, Product Marketing Manager
- produit
Chainguard Libraries for Java is now GA and includes CVE remediation
Ross Gordon, Staff Product Marketing Manager
- produit
Introducing the Chainguard cinc-auditor image: STIG scanning for Chainguard Containers, ready to run
Steve Beattie, Sr. Principal Software Engineer, and Mandy Hubbard, Sr. Technical Product Marketing Manager
- produit
Chainguard Agent Skills is now open to everyone, with a private registry to manage your internal skills
Anushka Iyer, Product Marketing Manager, and Tyler Paxton, Principal Product Manager