Home
Blog
Investigations
February 27, 2025
5
min read

GitHub Investigations: Securing the Foundation of Modern Innovation

As software development accelerates through DevOps processes, GitHub repositories have become both invaluable intellectual property stores and potential attack vectors. Threat actors increasingly exploit these environments through sophisticated techniques—from hijacking GitHub Actions for cryptocurrency mining to poisoning open-source libraries with backdoors. Security analysts face significant challenges when investigating GitHub activities: logs designed for developers rather than security teams, uncertainty about effective investigation approaches, and overwhelming noise from normal development activities. Command Zero addresses these challenges through an innovative platform that transforms complex investigations into accessible questions, enables seamless pivoting between data sources, and accelerates investigations through AI-powered analysis. By democratizing GitHub security expertise, Command Zero empowers every analyst to conduct sophisticated investigations without specialized knowledge—closing critical security gaps in the DevOps pipeline and establishing comprehensive visibility across interconnected systems.

GitHub
DevOps
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

Software development has fundamentally transformed every aspect of our global economy and daily lives. From financial systems that process trillions in transactions to healthcare applications that monitor vital signs in real-time, software underpins the critical infrastructure of our digital world. At the heart of this innovation are DevOps processes—the sophisticated systems that enable rapid, continuous software delivery through automated workflows, code repositories, and deployment pipelines.  

Yet this powerful ecosystem presents an equally significant security challenge: as organizations accelerate development velocity through platforms like GitHub, they inadvertently expand their attack surface. The sophisticated automation that enables continuous integration and deployment can, if compromised, provide threat actors with unprecedented access to intellectual property, customer data, and critical systems. As development environments transition from isolated workstations to interconnected cloud platforms, securing the DevOps pipeline has emerged as a critical imperative that many security teams remain ill-equipped to address.

Why investigating GitHub activity should be on your radar

With how fundamental software development processes are to the modern enterprise, DevOps platforms like GitHub are no longer just developer platforms—they are juicy targets for malicious users and attackers. We see two critical dimensions that security teams need to monitor:  

  1. Protecting intellectual property in your repositories,  
  1. Preventing, detecting and responding to the increasingly sophisticated ways threat actors weaponize DevOps platforms for attacks. Think code injection, backdoor merges and open-source hijacking.

I've observed threat actors getting remarkably creative with GitHub and other DevOps platforms. Some hijack GitHub Actions to mine cryptocurrency by stealing compute resources. Others—potentially nation-state actors—poison open-source libraries with backdoors. Many leverage GitHub's advanced automation features to trigger complex attack sequences with minimal intervention.

When a malicious actor gains access to your GitHub credentials or tokens, they can quietly modify your code, extract sensitive information, or establish persistence—all while flying under the radar of traditional security monitoring. GitHub and Microsoft are taking preventative measures for these risks to protect all organizations, yet our security operations teams need to handle some of the responsibility as well.  

Practical SecOps challenges with investigating GitHub activities

When I talk with security analysts about GitHub investigations, I consistently hear the same frustrations:

"The logs are designed for developers, not security teams." GitHub's data is structured around development workflows, making security investigations unnecessarily complex.

"I don't know what questions to ask." Even experienced security professionals struggle to frame effective GitHub investigations—Google "GitHub investigation" and you'll find surprisingly little practical guidance.

"There's too much noise." The volume of normal developer activities—commits, check-ins, regressions—makes spotting malicious actions like finding a needle in a digital haystack.

One analyst recently told me: "I know the compromise involved our GitHub environment, but I had to escalate to the one person on our team who understands GitHub's security architecture." This expertise gap creates bottlenecks during critical incidents, increasing mean time to understand, respond and resolve.  

What if every analyst could run advanced GitHub investigations?

At Command Zero, we've reimagined GitHub security investigations through a fundamentally different approach:

We've distilled complex investigation techniques into human-readable questions like "Show me all non-public repositories downloaded by this user in the last week" or "Identify unusual GitHub Actions workflow executions."

When an analyst investigates suspicious email activity, they can seamlessly pivot to explore that same user's GitHub actions—examining repository access, code commits, or personal access token usage without switching contexts. This approach not only abstracts the data collection for analysts, but it also brings the investigation expertise via questions and makes interpretation/reporting accessible for all. Teams can build their best practices for GitHub (and any other supported data source for that matter) and make sure all investigations follow them, giving flexibility to analysts to go deeper into additional analysis as needed.  

One CISO described our approach as "giving every analyst the GitHub investigation capabilities of my most experienced team member."

Real-life scenarios where this novel approach makes a difference

Consider these high-impact scenarios we're helping teams address:

When offboarding developers, security teams can quickly review their final weeks of activity—identifying downloaded repositories, unusual code commits, or potential intellectual property risks.

During incident response, analysts can trace a compromise from endpoint detection alerts directly to GitHub activity—following the attack chain across systems without the traditional "swivel chair" investigation approach.

Security teams can proactively hunt for GitHub security issues even without specific alerts—reviewing Personal Access Tokens, auditing repository access changes, or identifying unusual workflow patterns.

Enable all analysts, embrace all data sources and accelerate investigations

What makes Command Zero’s approach transformative for security teams?

  1. We remove expertise barriers. Every analyst can conduct sophisticated GitHub investigations without specialized knowledge of GitHub's architecture or query syntax.
  1. We connect the dots across systems. Investigations flow naturally between GitHub and other systems—email, identity, endpoints—creating comprehensive visibility.
  1. We accelerate every investigation. AI-powered summarization and timeline generation eliminate manual documentation work, focusing analyst time on higher-value analysis.

Our customers say it best when it comes to the value of this approach: "Before Command Zero, GitHub investigations were a specialized skill. Now they're just part of our standard security workflow."

Improve GitHub analysis today

GitHub represents both a critical asset and a potential attack vector for modern organizations. By bringing GitHub investigations into the mainstream security workflow, we're helping teams close a significant blind spot in their security operations.

The most effective security doesn't come from having specialized experts for every system—it comes from empowering every analyst to follow the evidence wherever it leads. It is practically impossible for every analyst to have superior proficiency for every system in the environment, but it is possible to empower your teams with an expert investigation platform for all users. This is exactly what we are building at Command Zero.  

Book a demo with our team to see how Command Zero can transform GitHub investigations and tier-2+ analysis for your organization.  

Eric Hulse
Director of Security Research

Continue reading

Investigations
Highlight

Email Investigations: The Epicenter of Security Analysis

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.
Alfred Huger
Feb 20, 2025
12
min read
Investigations
Highlight

Investigate password spray attacks with accuracy and speed

Password spray attacks remain a persistent threat to enterprise environments, serving as a crucial barometer of an organization's security health. These attacks, while common, offer valuable insights into an organization's authentication posture and prompt important questions about targeted identities, potential unnoticed breaches, and possible data leaks from previous breaches. Traditional investigation methods pose challenges when it comes to analyzing password spray: Time constraints, multiple system navigation and potentially superficial investigations. Command Zero transforms password spray investigations by: increasing efficiency and automation, ensuring comprehensive analysis and transparent reporting.
Alfred Huger
Jan 22, 2025
6
min read
Investigations
Highlight

2024 Learnings and 2025 Predictions Through Frequently Asked Questions

Disclaimer: This is not yet another 2025 predictions post where the author states the obvious (or the outrageous). Instead, we cover three frequently asked questions about Command Zero, what these questions taught us about 2024 and how they shaped our predictions for 2025. In this post, we will cover three frequently asked questions and responses: Who is Command Zero is for? How does Command Zero complement existing security operations investments? How is Command Zero similar to or different from AI-powered SOC analysts? AI-powered chatbots? We will also share our three predictions for 2025 based on these questions and observations. Happy holidays and we hope you enjoy this format!
Erdem Menges
Dec 19, 2024
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All