Lessons From a CI/CD Supply Chain Attack at Grafana Labs

When a compromised GitHub Actions workflow targets your CI/CD pipeline, how do you respond — and what do you change so it never happens again? Nick and David from Grafana Security walk through a real supply chain incident triggered by a pull_request_target misconfiguration, showing exactly what broke, what tools caught it, and what the team rebuilt afterward.

Learn how the Grafana security team used Loki for log investigation, deployed canary tokens as tripwires, and adopted Zizmor and TruffleHog as pipeline hardening tools. This is a candid, technical postmortem with concrete takeaways on securing GitHub Actions workflows, detecting attacker tooling like Gato-X, and building a response process that improves your security posture even after things go wrong.

0:00 Introduction

1:31 The Saturday Morning Alert

2:47 How It Happened: pull_request_target

4:28 April 25th — The Attack Vector

6:11 Gato-X: The Attacker's Tool

9:29 Attack Timeline

10:53 Response Toolkit: IRM, Loki, Zizmor, TruffleHog

18:11 Canary Tokens: How They Caught the Attacker

20:01 Response Timeline

22:16 Recap: What Went Right

23:40 Lessons Learned and Changes Made

Thanks for watching!

👍 Was this video helpful? Like and subscribe to our channel for more videos.

Connect with Grafana Labs:
X: (https://www.twitter.com/grafana)
LinkedIn: (https://www.linkedin.com/company/grafana-labs/)
Facebook: (https://www.facebook.com/grafana)

#Grafana #Observability #Security #Grafana Labs #Loki #IRM #Zizmor #TruffleHog #CanaryTokens