What I Found Scanning 30 Open-Source Repositories for CI/CD Identity Risks
Over the last few months I’ve been spending time looking into something that quietly sits behind most modern systems:
machine identities.
We spend a lot of time securing human access - MFA, SSO, password policies, phishing protection.
But in most production environments today, machines perform far more actions than people do.
APIs.
Service accounts.
CI/CD workflows.
Cloud roles.
Automation jobs.
These identities deploy code, push containers, rotate infrastructure, and connect services together.
Yet they rarely receive the same level of visibility or scrutiny.
That curiosity is what eventually led me to start building Nexora, and along the way I wrote a small research tool called nexora-cli.
The CLI scans repository workflow configurations to highlight patterns that often introduce machine-identity risk.
Nothing invasive.
No private code.
No secrets.
Just configuration analysis.
The Experiment
I ran the scanner against 30 well-known open-source repositories.
The goal wasn’t to call anyone out.
Open source projects move fast and security tradeoffs happen everywhere.
The idea was simply to understand how common certain automation risks really are.
Across those repositories the scanner flagged over 500 potential findings.
Most of them fell into a few recurring patterns.
- Mutable GitHub Actions
A surprisingly common pattern looked like this:
uses: actions/checkout@v3
Instead of pinning the action to a specific commit SHA.
When tags move upstream, workflows can end up executing different code than originally intended.
Pinning to the commit SHA removes that uncertainty.
It’s a small change but one that significantly reduces supply-chain exposure.
- Long-Lived Automation Tokens
Another pattern showed up repeatedly: credentials that never rotate.
Many CI/CD environments rely on tokens that remain valid indefinitely.
If one of those credentials leaks even briefly it can allow an attacker to trigger builds, publish artifacts, or move through automation pipelines.
Machine credentials should behave more like temporary infrastructure keys, not permanent passwords.
- Over-Privileged Automation
Automation jobs often run with permissions broader than they actually need.
Examples included:
CI pipelines with full repository access
deployment workflows capable of modifying unrelated infrastructure
service accounts with admin-level privileges
Most of the time this happens for convenience.
But once automation chains together multiple actions, excessive permissions create unnecessary blast radius.
- Broad Workflow Triggers
Another recurring pattern involved workflows triggered by very broad events.
on: push
Without restrictions on branches or execution context.
This can create scenarios where unexpected commits or pull requests trigger automation with elevated permissions.
What This Actually Shows
None of these findings are catastrophic by themselves.
But together they reveal something important.
Machine identities accumulate risk quietly.
They operate continuously in the background and often hold powerful permissions.
When something eventually fails a dependency compromise, token exposure, or malicious commit those identities already have the access needed to cause damage.
Why This Research Matters
Modern infrastructure is increasingly automated.
CI/CD pipelines deploy code.
Cloud roles spin up infrastructure.
APIs connect services together.
As automation grows, machine identity security becomes just as important as human access control.
That realization is what led to the creation of Nexora.
The platform focuses on observing how machine identities behave across environments CI/CD systems, APIs, and cloud IAM — and detecting patterns that indicate risk.
The research tool used for this experiment is nexora-cli, which analyzes repository workflows for automation security patterns.
The Bigger Lesson
The most interesting takeaway wasn’t the number of findings.
It was how predictable the patterns were.
Most issues came from the same few habits:
convenience over least privilege
long-lived automation credentials
workflows that quietly accumulate permissions over time
These are natural outcomes of fast-moving engineering teams.
Automation grows faster than visibility.
If You're Curious
If you want to experiment with the scanner or run it against your own repositories, the CLI is available here:
github.com/nexora/nexora-cli
I’m continuing to expand the research and would genuinely be interested in hearing what others find.
Machine identity security is still an underexplored area, and real-world observations from engineers are the best way to understand where the risks actually live.
Yasar Bin Gursain
Founder, Nexora
Top comments (0)