OIDC onhttps://deploy-preview-3420--ornate-narwhal-088216.netlify.app/tags/oidc/Recent content in OIDC onHugo -- gohugo.ioenCopyright (c) 2023 ChainguardTue, 23 Dec 2025 15:04:05 +0100Octo STS Overviewhttps://deploy-preview-3420--ornate-narwhal-088216.netlify.app/open-source/octo-sts/overview/Tue, 23 Dec 2025 15:04:05 +0100https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/open-source/octo-sts/overview/<p>Octo STS is a GitHub App developed by Chainguard that acts as a Security Token Service (STS) for the GitHub API. It enables workloads running anywhere that can produce OIDC tokens to federate with GitHub, exchanging those tokens for short-lived GitHub access tokens. The primary goal is to eliminate the need for GitHub Personal Access Tokens (PATs), which are long-lived credentials that pose significant security risks.</p> <h2 id="why-octo-sts-matters" class="heading-2" data-heading-level="2"> <span class="heading-text">Why Octo STS Matters</span> <a href="#why-octo-sts-matters" class="anchor" aria-label="Link to Why Octo STS Matters" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>Long-lived access tokens are a common target in security incidents. When attackers gain access to a PAT, they can exploit it to access repositories, make changes, and pivot to other resources. These tokens often have broad permissions and no expiration date, making them particularly dangerous if compromised.</p>