Index

DevOps¶

Securing CI/CD:
1. Map out the existing CI/CD pipeline to understand how code moves from development to production
2. Enable Branch protection rules. So no force pushes, direct commits to main without approval
3. Ensure secrets aren't exposed and make protective branch protections.
- Use pre-commit hooks to prevent secrets from being committed
- Store secrets in a Secure Vault
4. Ensure the Github actions have only the privileges that they need to prevent possible
5. Add scanning tools for SAST, DAST and Container security
6. Logging and Alerting for security Issues
7. Avoid self-hosted runners unless properly secured.
8. Rotate CI/CD access tokens regularly.

Poisoned Pipeline Execution (PPE) Attack Vectors:
- modify the CI config file
- modify a script file, teraform, or make file
- Not properly sanitized input data can allow a Pull request or other action to allow a command execution

Post Exploitation Data:
- Secrets in env, files on disk, or logs
- Access internal network, Access other cloud servers
- Exfill IAM roles/service accounts
- Compromise Production Equipment