tj-actions/changed-files github actions compromised

[prabhu]

tj-actions/changed-files#2463
https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

The good news is that our projects do not use this step. Even better, cdxgen collects GitHub actions by default.

However, cdxgen does not collect GitHub Actions in the following two scenarios (which could represent the bulk of use cases):

1. When an explicit type argument is specified (e.g., -t java instead of -t universal).
2. When an exclude type is specified (e.g., --exclude-type github).

Ideally, users must let the sbom tools to detect all languages and generate a comprehensive SBOM. Please comment if your team has successfully collected GitHub Actions with Dependency Track and managed to patch the affected applications that used these compromised actions.

[prabhu]

Looks like there is a new CVE against GitHub/CodeQL-action. Hope folks have started collecting GitHub components by now.

https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/