Link to this headingDevOps
Link to this headingSecuring CI/CD pipelines
- Map out the existing CI/CD pipeline to understand how code moves from development to production
- Enable Branch protection rules. So no force pushes, direct commits to main without approval
- Ensure secrets aren’t exposed and make protective branch protections.
- Use pre-commit hooks to prevent secrets from being committed
- Store secrets in a Secure Vault
- Ensure the Github actions have only the privileges that they need to prevent possible
- Add scanning tools for SAST, DAST and Container security
- Logging and Alerting for security Issues
- Avoid self-hosted runners unless properly secured.
- Rotate CI/CD access tokens regularly.
Link to this headingAttack vectors
Link to this headingPoisoned Pipeline Execution (PPE) attack vectors
-
Modify the CI configuration file (
.github/workflows,.gitlab-ci.yml) -
Modify script files, Terraform configurations, or Makefiles
-
Not properly sanitized input data can allow a Pull request or other action to allow a command execution
-
More info on [GitHub Actions security](/Code Review/CI&CD/Github Actions)
-
More info on [GitLab CI/CD security](/Code Review/CI&CD/Gitlab)
Link to this headingPost Exploitation Data
- Secrets in env, files on disk, or logs
- Access internal network, Access other cloud servers
- Exfill IAM roles/service accounts
- Compromise Production Equipment
Link to this headingSecurity scanning integration
Link to this headingDependency
Use Lavamoat to sandbox npm installs