Skip to content

CI/CD Providers

General¶

Article	Description
Mercari's Research	Common Threat Matrix for CI/CD Pipeline: An ATT&CK-like matrix focus on CI/CD Pipeline specific risk Attacking and Securing CI/CD Pipelines: A comprehensive summary of both the attack methods often used against CI/CD environments and Mercari's experience in securing CI/CD Defense Against Novel Threats: Redesigning CI at Mercari: Article discussing the effort to build Mercari's next generation CI system and some of their engineering solutions towards this effort Terraform CI code execution restrictions: A post explaining RCE via Provider and Provisioners, supply chain attack scenarios and mitigations Restructuring the Kubernetes Threat Matrix and Evaluating Attack Detection by Falco: post talking about some attack methods missing from the Threat matrix for Kubernetes published by Microsoft Supply-Chain Security: Evaluation of Threats and Mitigations: research into threat modeling for supply-chain, the evaluation of the effectiveness of each countermeasure such as SBOM, and the design of a centralized CI pipeline
Top10 CI/CD Security Risks	Focus areas for securing CI/CD environments
Visualizing CI/CD from an attacker's perspective	Lessons learned and insight gained from a year of modeling and engineering CI/CD graphs from the attacker's perspective
10 real-world stories of how we’ve compromised CI/CD pipelines	Some of war stories from NCC about what they have observed and been able to demonstrate on CI/CD pipeline security assessments
Controlling the Source: Abusing Source Code Management Systems	A few ways to abuse some of the most popular source code management systems to perform various attack scenarios, like reconnaissance manipulation of user roles repository takeover pivoting to other DevOps systems user impersonation maintaining persistent access
Characterizing the Security of Github CI Workflows	Paper comparing 6 popular CI/CD platforms and how they enforce security properties like: Admittance Control, Execution Control, Code Control, and Access to Secrets
Attackers have better things to do than corrupt your builds	This posts clarifies the clucking and clamoring over attackers exploiting vulns or corrupting build pipelines (spoiler alert: it isn't worth their time and effort to)
69 Ways to F*** Up Your Deploy	A compendium of 69 ways to f*** up your deploy

GitHub¶

Articles¶

Article	Description
Securing GitHub organizations	Step-by-step process for securing your GitHub organization
Security hardening for GitHub Actions	Good security practices for using GitHub Actions features
Github Actions Security Best Practices	Some of the key security concerns you should be aware of when using Github Actions, alongside the best practices that Salesforce Heroku follows to securely use them
Protect Your GitHub Actions with Semgrep	What can happen (secrets stolen, repo backdoored), and how to protect yourself with open source Semgrep rules
Secure deployments with OpenID Connect & GitHub Actions	GitHub Actions now supports OpenID Connect for secure deployment to different cloud providers via short-lived, auto-rotated tokens Identity Federation for GitHub Actions on AWS: How to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS Enabling keyless authentication from GitHub Actions: authenticate from GitHub Actions to Google Cloud using Workload Identity Federation
Leaking Secrets From GitHub Actions	Different areas that could help leaking secrets from GitHub Actions workflows vulnerable to command injection: Reading files and environment variables Intercepting network/process communication Dumping memory

OIDC¶

Tool	Description
Marco Lancini Identity Federation for CI on AWS	A small Terraform module which automates the setup of OIDC federation between AWS and Github Actions/GitLab CI
auth (GCP)	GitHub Action for authenticating to Google Cloud with GitHub Actions OIDC tokens and Workload Identity Federation
Improve GitHub Actions OIDC security posture with custom issuer	You can grant developers permission to invoke `iam:CreateRole` without worrying that an errant role trust policy has opened up access to the entirety of Github.com
Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault	DigitalOcean’s approach to securing CI/CD through GitHub Actions, OIDC, and HashiCorp Vault
github-oidc-checker	Tool that checks for misconfigured access to Github OIDC from AWS roles and GCP service accounts You can also refer to the companion blog post

Tools¶

Tool	Description
Allstar	A GitHub app that provides automated continuous enforcement of security best practices for GitHub projects
policy-bot	A GitHub App that enforces approval policies on pull requests
dco	A GitHub App that enforces the Developer Certificate of Origin (DCO) on pull requests
gordon	A Github app that enforces and validate `about.yaml` file specifications during pull requests to drive code ownership at scale within an organization Can The Real Codeowners Please Stand Up? Code Provenance at Scale
gitoops	A tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls
lobster-pot	Scans every git push to your Github organisations to find unwanted secrets
reposaur	Audit your GitHub data using custom policies written in Rego
ratchet	A tool for securing CI/CD workflows with version pinning
chain-bench	A tool for auditing your software supply chain stack for security compliance
magic-github-proxy	A stateless GitHub API proxy that allows creation and use of access-limited GitHub API tokens Basically, it's identity and access management for GitHub API tokens
github-analyzer	A tool to check the security settings of Github Organizations
gato	An enumeration and attack tool tto evaluate the blast radius of a compromised personal access token within a GitHub organization
ToBeReviewedBot	GitHub App to watch for PRs merged without a reviewer approving

GitLab¶

Articles¶

Article	Description
OIDC	Configure OpenID Connect in AWS to retrieve temporary credentials Configure OpenID Connect between GitLab and AWS (Terraform example)

OIDC¶

Tool	Description
Marco Lancini Identity Federation for CI on AWS	A small Terraform module which automates the setup of OIDC federation between AWS and Github Actions/GitLab CI

Tools¶

Tool	Description
gitlab-watchman	Monitoring GitLab for sensitive data shared publicly