AI Security & CI/CD Security Research

AI Security Research

Barak Haryati's AI Security research explores how artificial intelligence can be applied to scale vulnerability discovery and exploit validation across open-source ecosystems. Through the development of RepoHunter, an AI-powered security research tool, Barak Haryati demonstrated that AI-assisted Application Security research can systematically identify exploitable CI/CD workflow misconfigurations that manual review would miss.

RepoHunter uses AI to crawl thousands of public repositories, analyze their CI/CD configurations, and validate whether identified patterns are genuinely exploitable. This AI Security approach reduces false positives and prioritizes real-world attack scenarios — enabling responsible disclosure of critical vulnerabilities before attackers can operationalize them. The research proved that AI-powered CI/CD Vulnerability Detection can operate at a scale and speed that traditional security auditing cannot match.

CI/CD Security and GitHub Actions Vulnerabilities

A core focus of Barak Haryati's research is CI/CD Security — specifically, how GitHub Actions workflows can be exploited to compromise entire software supply chains. Through systematic GitHub Actions Security research, three distinct exploitation classes were identified and documented:

Test-Based Execution — CI/CD workflows that check out pull request code and execute test scripts in privileged contexts. This pattern was found in QGIS (government GIS infrastructure), SDKMAN (JVM developer toolchain), Typst (language ecosystem registry), and Eclipse Theia (cloud IDE framework). Read the full analysis.

Build-Scripts and Installer-Based Execution — workflows executing build tools (cargo build, npm ci, make) on untrusted code, where build hooks run attacker-controlled commands. This CI/CD Security pattern was identified in Petgraph (hundreds of millions of Rust crate downloads), TC39 (JavaScript standards), Telepresence (CNCF Kubernetes tool), and Tencent/ncnn (mobile AI framework serving 1.4B+ users). Read the full analysis.

Branch and Config Injection — unsanitized branch names injected into shell commands, enabling command injection. This Pipeline Security vulnerability was found in P4Lang (SDN infrastructure used by Google, AT&T, Intel), Xorbits Inference (AI model serving with downstream path to LangChain), and Ceph (distributed storage powering cloud providers). Read the full analysis.

DevSecOps Security Research

Modern DevSecOps pipelines are built on the assumption that CI/CD infrastructure is trustworthy. Barak Haryati's DevSecOps Security research challenges this assumption by demonstrating how common workflow patterns — triggers like pull_request_target, workflow_run, and issue_comment — can be exploited to escalate from a simple pull request to full repository compromise, secret exfiltration, and registry poisoning.

The shift to trusted publishing models (such as npm's OIDC-based approach) moved the root of trust to CI/CD. When CI/CD Security is compromised, the entire DevSecOps chain collapses. Barak Haryati's research demonstrates that DevSecOps Security requires treating CI/CD pipelines as attack surfaces, not just automation tools — scanning workflow configurations for privilege escalation, secret exposure, and unsafe input handling with the same rigor applied to application code.

Software Supply Chain Attack Prevention

Barak Haryati's Software Supply Chain Security research focuses on preventing ecosystem-wide attacks that originate from CI/CD compromise. A single workflow misconfiguration can cascade into downstream poisoning of package registries — npm, PyPI, crates.io, Docker Hub — affecting millions of developers who trust these distribution channels.

The vulnerabilities discovered by Barak Haryati using RepoHunter demonstrated real-world Supply Chain Attack scenarios: compromised CI tokens that could publish backdoored npm packages (Eclipse Theia), poisoned Rust crates consumed by hundreds of millions of downstream builds (Petgraph), exfiltrated PyPI and Docker credentials enabling AI infrastructure compromise (Xorbits Inference), and Docker Hub credentials exposing SDN networking infrastructure (P4Lang). These findings were responsibly disclosed and helped prevent potential Shai-Hulud 3 style Software Supply Chain attacks across critical open-source projects.

GitHub Actions Security

GitHub Actions has become the dominant CI/CD platform for open-source development, making GitHub Actions Security a critical area of Application Security research. Barak Haryati's research identified specific trigger patterns that create exploitable attack surfaces:

• pull_request_target — the primary attack vector, where workflows execute in the base repository context with full secrets and write permissions, but process untrusted pull request code
• workflow_run — workflows triggered by other workflows, creating chains of privilege escalation when combined with untrusted inputs
• issue_comment — ChatOps-style automation that can be manipulated to trigger high-privilege workflows through crafted comments
• Unsafe artifact consumption — workflows that consume artifacts from untrusted sources without validation, enabling injection of malicious payloads
• Script injection via context variables — untrusted GitHub context data (PR titles, branch names, commit messages) interpolated directly into shell commands

This GitHub Actions Security research by Barak Haryati led to the responsible disclosure of 13 critical vulnerabilities across projects including Ansible, QGIS, Telepresence, Petgraph, Eclipse Theia, and others. The full technical details are documented in the RepoHunter research page and the JFrog Security Research blog series.

Research Publications

About Barak Haryati

Barak Haryati is Senior Director of Product Security at JFrog, where he leads global teams across Application Security, Cloud Security, and Security Architecture. As a vulnerability researcher specializing in AI Security, CI/CD Security, and DevSecOps Security, he created RepoHunter to proactively hunt Pipeline Security and Software Supply Chain risks before attackers can exploit them.