Skip to content

CI/CD Providers

General

Article Description
Common Threat Matrix for CI/CD Pipeline An ATT&CK-like matrix focus on CI/CD Pipeline specific risk
Visualizing CI/CD from an attacker’s perspective Lessons learned and insight gained from a year of modeling and engineering CI/CD graphs from the attacker's perspective

Github Actions

Articles

Article Description
Security hardening for GitHub Actions Good security practices for using GitHub Actions features
Github Actions Security Best Practices Some of the key security concerns you should be aware of when using Github Actions, alongside the best practices that Salesforce Heroku follows to securely use them
Protect Your GitHub Actions with Semgrep What can happen (secrets stolen, repo backdoored), and how to protect yourself with open source Semgrep rules
Secure deployments with OpenID Connect & GitHub Actions
Container Signing

Tools

Tool Description
Allstar A GitHub app that provides automated continuous enforcement of security best practices for GitHub projects
policy-bot A GitHub App that enforces approval policies on pull requests
dco A GitHub App that enforces the Developer Certificate of Origin (DCO) on pull requests
gordon
gitoops A tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls
Back to top