Skip to content

CI/CD Providers


Article Description
Mercari's Research
Top10 CI/CD Security Risks Focus areas for securing CI/CD environments
Visualizing CI/CD from an attacker’s perspective Lessons learned and insight gained from a year of modeling and engineering CI/CD graphs from the attacker's perspective
10 real-world stories of how we’ve compromised CI/CD pipelines Some of war stories from NCC about what they have observed and been able to demonstrate on CI/CD pipeline security assessments
Controlling the Source: Abusing Source Code Management Systems A few ways to abuse some of the most popular source code management systems to perform various attack scenarios, like
  • reconnaissance
  • manipulation of user roles
  • repository takeover
  • pivoting to other DevOps systems
  • user impersonation
  • maintaining persistent access
Characterizing the Security of Github CI Workflows Paper comparing 6 popular CI/CD platforms and how they enforce security properties like: Admittance Control, Execution Control, Code Control, and Access to Secrets



Article Description
Securing GitHub organizations Step-by-step process for securing your GitHub organization
Security hardening for GitHub Actions Good security practices for using GitHub Actions features
Github Actions Security Best Practices Some of the key security concerns you should be aware of when using Github Actions, alongside the best practices that Salesforce Heroku follows to securely use them
Protect Your GitHub Actions with Semgrep What can happen (secrets stolen, repo backdoored), and how to protect yourself with open source Semgrep rules
Secure deployments with OpenID Connect & GitHub Actions
Leaking Secrets From GitHub Actions Different areas that could help leaking secrets from GitHub Actions workflows vulnerable to command injection:
  • Reading files and environment variables
  • Intercepting network/process communication
  • Dumping memory


Tool Description
Marco Lancini Identity Federation for CI on AWS A small Terraform module which automates the setup of OIDC federation between AWS and Github Actions/GitLab CI
auth (GCP) GitHub Action for authenticating to Google Cloud with GitHub Actions OIDC tokens and Workload Identity Federation
Improve GitHub Actions OIDC security posture with custom issuer You can grant developers permission to invoke iam:CreateRole without worrying that an errant role trust policy has opened up access to the entirety of


Tool Description
Allstar A GitHub app that provides automated continuous enforcement of security best practices for GitHub projects
policy-bot A GitHub App that enforces approval policies on pull requests
dco A GitHub App that enforces the Developer Certificate of Origin (DCO) on pull requests
gitoops A tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls
lobster-pot Scans every git push to your Github organisations to find unwanted secrets
reposaur Audit your GitHub data using custom policies written in Rego
ratchet A tool for securing CI/CD workflows with version pinning
chain-bench A tool for auditing your software supply chain stack for security compliance
  • A stateless GitHub API proxy that allows creation and use of access-limited GitHub API tokens
  • Basically, it's identity and access management for GitHub API tokens
github-analyzer A tool to check the security settings of Github Organizations



Article Description


Tool Description
Marco Lancini Identity Federation for CI on AWS A small Terraform module which automates the setup of OIDC federation between AWS and Github Actions/GitLab CI