Xavier Rene-Corail's Avatar

Xavier Rene-Corail

@xcorail.bsky.social

Open source security at GitHub. I don’t believe in perfection, but in continuous improvement. Opinions here are mine.

199 Followers  |  355 Following  |  48 Posts  |  Joined: 21.10.2024  |  2.1816

Latest posts by xcorail.bsky.social on Bluesky

Towards a secure by default GitHub Actions · community · Discussion #179107 Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...

🚀 GitHub is making Actions more secure by default

We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.

We’ve opened a discussion to gather feedback 👇

🔗 github.com/orgs/communi...

11.11.2025 18:38 — 👍 6    🔁 4    💬 0    📌 0
Video thumbnail

The internet was on fire. 🔥
One small library affecting billions of systems.
Log4Shell was the biggest security vulnerability of all time.

Now, Log4J maintainer, Christian Grobmeier tells us what it felt like inside the flames 👉 github.blog/open-source/...

20.10.2025 18:37 — 👍 115    🔁 19    💬 5    📌 3
Video thumbnail

“Ignorance will break all software.”

Log4Shell’s one line of code broke the internet, and taught us all a lesson we can’t ignore. As Christian Grobmeier, maintainer of Log4J puts it: "Learning is the only cure for ignorance. So just keep learning."

20.10.2025 19:05 — 👍 0    🔁 1    💬 0    📌 0

Oh, congrats Kara!

19.10.2025 02:58 — 👍 1    🔁 0    💬 0    📌 0
Preview
a woman in a striped coat is standing in front of a man ALT: a woman in a striped coat is standing in front of a man

😭

12.10.2025 00:03 — 👍 0    🔁 0    💬 0    📌 0
Preview
Our plan for a more secure npm supply chain GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.

We're taking action to make the npm supply chain stronger and harder to attack. 🛡️

Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/

30.09.2025 15:55 — 👍 29    🔁 10    💬 1    📌 3
Preview
Our plan for a more secure npm supply chain GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.

Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...

23.09.2025 16:11 — 👍 3    🔁 3    💬 1    📌 0

Yay!

03.09.2025 03:18 — 👍 1    🔁 0    💬 0    📌 0
Preview
a close up of a man with the words we come far Alt: a close up of a dialogue between Greene and Costner in “Dance with wolves”: Greene: we come far you and me - Costner: I will not forget you

RIP Graham Greene.

02.09.2025 03:25 — 👍 1    🔁 0    💬 0    📌 0

When we see your smile for 2001 vs. Twilight, we know what the final result will be 😂

12.08.2025 04:40 — 👍 7    🔁 0    💬 0    📌 0

Hey security people, if you’re in Las Vegas, say hi!
If you want to talk open source security, or GitHub security products, I’d be happy to chat!

05.08.2025 16:37 — 👍 0    🔁 0    💬 0    📌 0
LinkedIn This link will take you to a page that’s not on LinkedIn

Are you at Security BSides Las Vegas?

Our very own Madison Oliver is joining a panel on the evolving role of the CVE Program — from funding challenges to global coordination and new governance models.

ℹ️ pretalx.com/security-bsi...
🗓️ August 5 | ⏰ 13:00–13:45 PT

05.08.2025 07:38 — 👍 1    🔁 1    💬 0    📌 0

Anyone else going to #ossna and flight to Denver is delayed, without visibility?

23.06.2025 00:57 — 👍 0    🔁 0    💬 0    📌 0

Throw them a volleyball and see what happens. We need to know.

23.06.2025 00:54 — 👍 1    🔁 0    💬 0    📌 0

If you, a business, are reliant on an open source project to function it is YOUR responsibility to assess and ensure the health of that project by either contributing to it yourself or by using an alternative if project health cannot be guaranteed.

22.06.2025 22:11 — 👍 371    🔁 73    💬 7    📌 7

I am curious now … which one?

16.06.2025 01:30 — 👍 1    🔁 0    💬 0    📌 0

It’s free. It’s fun. It’s easy.
Learn about secure coding with the GitHub secure code game.

04.06.2025 05:44 — 👍 1    🔁 0    💬 0    📌 0

Depends. It would take me too long to arrive … I would make long pauses on the grass!

29.05.2025 05:55 — 👍 1    🔁 0    💬 0    📌 0
Preview
Security Best Practices for your Project Strengthen your project’s future by building trust through essential security practices — from MFA and code scanning to safe dependency management and private vulnerability reporting.

Is your open source project built on a foundation of trust and security? 🛡️

Strengthen its future with essential practices like MFA, code scanning, safe dependency management, and private vulnerability reporting. 🔐

Learn how to implement these to protect your project and users with this guide. ⬇️

28.05.2025 20:21 — 👍 39    🔁 7    💬 0    📌 0
Video thumbnail

Season 3 of the GitHub Secure Code Game is coming — AI enters the chat 🤖🔥
Catchup with Season 1 and 2 at gh.io/secure-code-game

09.05.2025 16:02 — 👍 11    🔁 6    💬 0    📌 0

It’s a long time wish. I remember when he was invited by Macron to the French military parade (Bastille day) in 2017 he said he wanted to do a similar parade in the US.

02.05.2025 03:18 — 👍 1    🔁 0    💬 0    📌 0

So relatable. Thank you Ashley ❤️

27.04.2025 17:36 — 👍 1    🔁 0    💬 0    📌 0
ONE HOUR OF DANCING MON MOTHMA | Andor Season 2 | Disney+
YouTube video by Star Wars ONE HOUR OF DANCING MON MOTHMA | Andor Season 2 | Disney+

Star Wars has released one hour of Mon Mothma dancing. #Andor www.youtube.com/watch?v=y6wL...

26.04.2025 21:51 — 👍 9    🔁 2    💬 0    📌 0

Agree. I think the best (worst?) episodes are when the plot is so plausible.

20.04.2025 01:45 — 👍 1    🔁 0    💬 0    📌 0

There is one sentence in all this non-sense that I agree with: « this film has to happen » - please DO IT!

17.04.2025 06:11 — 👍 1    🔁 0    💬 0    📌 0

Finally watched the first episode of The Studio. OMG this is hilarious. I must admit I had a hard time with the disrespect of my hero Marty … I’ll get over it, but it was a difficult moment.

15.04.2025 02:19 — 👍 0    🔁 0    💬 0    📌 0
Preview
a man with a mustache wearing a cowboy hat and saying say when ALT: a man with a mustache wearing a cowboy hat and saying say when

So … Heat or Tombstone tonight? 😢 RIP Val Kilmer

03.04.2025 04:56 — 👍 1    🔁 0    💬 0    📌 0
Video thumbnail

In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at gh.io/glfx

13.03.2025 16:08 — 👍 22    🔁 3    💬 1    📌 0

Alright but can you bring your image out of the room, or does it get wiped out in the elevator?

25.02.2025 05:30 — 👍 1    🔁 0    💬 1    📌 0

Does your outie code work on your innie’s machine?

24.02.2025 23:51 — 👍 11    🔁 0    💬 1    📌 0

@xcorail is following 20 prominent accounts