CI/CD Security
What is CI/CD Security?
CI/CD SecurityThe set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments.
CI/CD systems sit between source code and production, so a compromise there gives attackers near-arbitrary control over what runs. CI/CD security covers identity (least-privilege OIDC tokens, federated identities, no long-lived deployment keys), pipeline configuration (pinned runners, signed build steps, isolated jobs), secret management (vaults, JIT credentials, secret scanning, masked logs), source integrity (signed commits, branch protection, mandatory reviews), supply-chain controls (SBOM, SLSA, signed artifacts), and runtime protection of the controllers themselves. Notable incidents like SolarWinds, Codecov, and the SCMKit research highlighted CI/CD as a high-value target. Frameworks include OWASP CI/CD Top 10 and CISA guidance on securing the software supply chain.
● Examples
- 01
GitHub Actions using OIDC federation to AWS with no long-lived secrets.
- 02
Enforcing CODEOWNERS, signed commits, and mandatory reviews on the main branch.
● Frequently asked questions
What is CI/CD Security?
The set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments. It belongs to the Application Security category of cybersecurity.
What does CI/CD Security mean?
The set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments.
How does CI/CD Security work?
CI/CD systems sit between source code and production, so a compromise there gives attackers near-arbitrary control over what runs. CI/CD security covers identity (least-privilege OIDC tokens, federated identities, no long-lived deployment keys), pipeline configuration (pinned runners, signed build steps, isolated jobs), secret management (vaults, JIT credentials, secret scanning, masked logs), source integrity (signed commits, branch protection, mandatory reviews), supply-chain controls (SBOM, SLSA, signed artifacts), and runtime protection of the controllers themselves. Notable incidents like SolarWinds, Codecov, and the SCMKit research highlighted CI/CD as a high-value target. Frameworks include OWASP CI/CD Top 10 and CISA guidance on securing the software supply chain.
How do you defend against CI/CD Security?
Defences for CI/CD Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CI/CD Security?
Common alternative names include: Pipeline security, Build pipeline security.
● Related terms
- appsec№ 1069
Software Supply Chain Security
The discipline of protecting every link of the software production chain - source, dependencies, build, signing, distribution, and deployment - against tampering, malicious code, and integrity loss.
- appsec№ 1053
SLSA Framework
Supply-chain Levels for Software Artifacts: a tiered set of requirements published by OpenSSF that progressively hardens how software is built, signed, and verified against supply-chain tampering.
- appsec№ 459
Hardcoded Secrets in Code
Embedding credentials, API keys, tokens, or cryptographic material directly in source code, configuration files, or container images, where they are easily discovered and abused.
- appsec№ 444
GitOps Security
Security practices for GitOps workflows, where the declarative desired state of infrastructure and applications is stored in Git and reconciled into production by an automated controller.
- appsec№ 784
Package Signing
Applying a cryptographic signature to a software package so that consumers can verify the publisher's identity and that the artifact has not been altered after release.
- appsec№ 309
DevSecOps
A culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed.