Back to Blog
Product

AI Workflow Protection for GitHub Actions

Eliad Mualem·April 16, 2026·4 min read

The Cline Compromise

AI workflow protection is suddenly a real problem. Claude Code Action, Copilot Autofix, Cline's triage workflow. They all read untrusted content from GitHub and take real actions. A few days ago I wrote about the Cline compromise: five million installations taken down by a malicious GitHub issue title that was processed by an AI triage workflow. The agent read the input, followed its instructions, and eventually leaked production credentials.

Today we are shipping the answer.

Where Prompt Injection Actually Hurts in CI/CD

AI agents are moving from chat into pipelines. They read content written by people on the internet and then take actions. A GitHub issue title is untrusted input. A pull request description is untrusted input. A review comment is untrusted input. Before an AI agent acts on any of them, someone has to ask the one question that matters:

What will this input make my LLM try to do?

Without that check, your CI/CD pipeline becomes an attack surface. Every issue filed by a stranger is a potential prompt injection against your AI workflow.

Introducing LLMSecure for GitHub Actions

LLMSecure now ships as a composite GitHub Action that adds a prompt injection check before your AI step runs. Drop it into any workflow where an AI agent processes external content, and it validates the event payload through the same engine that powers our public scanner. Static pattern matching plus dynamic intent extraction in a sandboxed LLM. If the input is flagged as UNSAFE, the step fails, the AI action does not run, and your tokens, tools, and data stay put.

Here is the full integration:

name: AI Issue Triage (Protected)

on:
  issues:
    types: [opened, edited]

jobs:
  triage:
    runs-on: ubuntu-latest
    steps:
      - name: LLMSecure Scan
        uses: llmsecure/validate-action@v1
        with:
          api-key: ${{ secrets.LLMSECURE_API_KEY }}

      # Only runs if LLMSecure passed.
      - name: AI Triage
        uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          github_token: ${{ secrets.GITHUB_TOKEN }}

One step, before the AI step. If the scan comes back UNSAFE, the workflow exits with a non-zero code. GitHub stops the job. The AI agent never sees the input.

What Gets Validated

The action reads the GitHub event payload directly. No extra configuration, no scope creep.

  • Issues: title and body
  • Issue comments: comment body
  • Pull requests: title and body
  • Pull request review comments: comment body

Every common source of untrusted text that a CI bot processes. More event types are easy to add as the action surface grows.

How the Defense Works

The engine behind the action is the same one I wrote about in The Missing Layer in LLM Security. Static rules catch the known patterns. The dynamic sandbox runs the input through an LLM with no guardrails and watches what it tries to do. The delivery mechanism (issue title, PR body, comment) changes. The intent does not.

An attacker can change the words, but they cannot change the intent. And now they cannot reach your agent either.

Get Started

Three steps to protect an AI workflow:

  1. Create an account and grab an API key.
  2. Add it as LLMSECURE_API_KEY in your repository secrets.
  3. Add the LLMSecure step before your AI action.

That is the whole integration. The same engine, the same verdicts, now sitting between the open internet and your most privileged workflows.

If you run AI in CI, this is the layer that was missing.