Microsoft flags Claude Code Action secret-exposure flaw
Agentic CI/CD turns issue comments into an input boundary, and old secret-scrubbing assumptions do not cover that model.
TL;DR
Microsoft Threat Intelligence says Anthropic’s Claude Code GitHub Action could expose CI/CD workflow secrets when agents processed untrusted GitHub issues, pull request text, or comments. The gap was in the Read tool, which Microsoft says could access /proc/self/environ and read ANTHROPIC_API_KEY and possibly other runner credentials. Anthropic mitigated it in Claude Code 2.1.128 by blocking sensitive /proc files; teams using AI-assisted GitHub workflows need to separate untrusted content from secrets and tool access.
Microsoft’s finding is useful because it is specific. Claude Code Action had environment scrubbing for subprocess paths such as Bash, but Microsoft says the Read tool was outside that sandboxing model and could be authorized to read /proc/self/environ, exposing the workflow’s ANTHROPIC_API_KEY and potentially other credentials available to the GitHub Actions runner. Anthropic fixed the issue in Claude Code 2.1.128 by blocking access to sensitive /proc files, according to Microsoft.
The broader lesson is the part compliance programs tend to file too gently under “AI risk.” GitHub Actions workflows were built for deterministic automation. An agentic workflow can treat natural language in an issue body, pull request description, or comment as operational instruction. Microsoft says it began the research after seeing prompt-injection attempts in public repositories using AI-assisted GitHub workflows across multiple vendors, including hidden HTML-comment payloads visible to the model but not to a browser-rendered issue.
For federal suppliers, this maps cleanly onto the software supply-chain controls already sitting on the desk. NIST’s DevSecOps work says its project demonstrates how organizations can implement Secure Software Development Framework practices using modern DevSecOps pipelines, and NIST’s EO 14028 vendor-risk guidance points agencies toward scrutiny of vendor SDLC capabilities and SSDF conformity (https://csrc.nist.gov/pubs/other/2026/03/24/devsecops-practices/iprd, https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-supply-chain-security-guidance-21). Agentic CI/CD belongs in that evidence package. If the agent can read files, call tools, open pull requests, or communicate externally, it is part of the pipeline’s trusted computing base.
The Monday work is plain: update Claude Code Action, audit where AI agents process untrusted GitHub content, remove secrets from those jobs where feasible, narrow permissions on file-read and pull-request tools, and treat rendered GitHub text as the wrong security boundary. The model reads raw content. Attackers will write for the model.
Published ·Deep Fathom