List of awesome resources about CI/CD security included books, blogs, videos, tools and cases.
- Top 10 CI/CD Security Risks
- Continuous Delivery 3.0 Maturity Model (CD3M)
- Visualizing CI/CD from an attacker’s perspective
- The Anatomy of an Attack Against a Cloud Supply Pipeline
- When Supply-Chain Attacks Meet CI/CD Infrastructures
- CI/CD Supply Chain Attacks for Data Exfiltration or Cloud Account Takeover
- Detecting Malicious Activity in CI/CD Pipeline with Tracee
- Let’s Hack a Pipeline: Argument Injection
- Let’s Hack a Pipeline: Stealing Another Repo
- Let’s Hack a Pipeline: Shared Infrastructure
- Poorly Configured CI/CD Systems Can Be A Backdoor Into Your Infrastructure
- Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 1
- Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2
- Defending software build pipelines from malicious attack
- Cloud Native Best Practices: Security Policies in CI/CD Pipelines
- CI/CD secrets extraction, tips and tricks
- Abusing GitLab Runners
- Critical GitLab vulnerability could allow attackers to steal runner registration tokens
- Understanding GitLab's Security Threats and Strengthening Your Preparedness
- Securing GitLab CI pipelines with Sysbox
- GitLab - Security for self-managed runners
- Stealing arbitrary GitHub Actions secrets
- Exploiting GitHub Actions on open source projects
- GitHub Action Runners Analyzing the Environment and Security in Action
- What the fork? Imposter commits in GitHub Actions and CI/CD
- The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
- Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
- Long Live the Pwn Request: Hacking Microsoft GitHub Repositories and More
- One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images
- TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack
- Self-hosted runner security
- Automatically Secure Your CI/CD Pipelines Using Tracee GitHub Action
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks
- Github Actions Security Best Practices
- Security hardening for GitHub Actions
- GitHub Actions exploitation: introduction
- GitHub Actions exploitation: untrusted input
- GitHub Actions exploitation: repo jacking and environment manipulation
- GitHub Actions exploitation: self hosted runners
- GitHub Actions exploitation: Dependabot
- Hijacking GitHub runners to compromise the organization
- GitHub Actions OIDC – Non-Human Identities and Secretless Authentication
- Securing APIs with GitHub Actions OIDC and Envoy Proxy
- Attacking Jenkins
- Attacking Jenkins with Shared Libraries
- Reflections on trusting plugins: Backdooring Jenkins builds
- Securing Jenkins
- How to Secure Jenkins Pipelines without the hassle
- ArgoCD SSRF
- Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller
- Six Critical Blindspots While Securing Argo CD
- Security Considerations
- Argo CD Security Practices
- Attacking Development Pipelines For Actual Profit
- Exploiting Continuous Integration (CI) and Automated Build systems
- Continuous Intrusion: Why CI Tools Are An Attacker's Best Friends
- OMGCICD - From Intern to Production by: Denis Andzakovic
- Attacking Argo CD with Argo CD (and then Defending) - Michael Crenshaw, Intuit
- Challenges to Securing CI/CD Pipelines
- How to Build a Compromise Resilient CI/CD
- SmokedMeat - Like Metasploit, but for CI/CD pipelines.
- Gato - A tool that helps blue teamers and offensive security practitioners find weaknesses in GitHub organization's public and private repositories.
- poutine - A security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository.
- Harden-Runner - Network egress filtering and runtime security for GitHub-hosted and self-hosted runners.
- Cimon - Runtime security solution for your CI/CD pipeline.
- releaserun - CLI tool and GitHub Action that scans CI/CD pipeline dependencies for known CVEs, end-of-life versions, and deprecated packages across Node.js, Python, Go, Rust, and Docker. Catches vulnerable dependencies before they reach production.
- Raven - A powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database
- nord-stream - Nord Stream is a tool that allows you extract secrets stored inside CI/CD environments by deploying malicious pipelines.
- octoscan - Octoscan is a static vulnerability scanner for GitHub action workflows.
- gh-hijack-runner - A python script to create a fake GitHub runner and hijack pipeline jobs to leak CI/CD secrets.
- zizmor - Static analysis for GitHub Actions.
- actionlint - A static checker for GitHub Actions workflow files.
- 10 real-world stories of how we’ve compromised CI/CD pipelines
- CI/CD pipeline attacks: A growing threat to enterprise security
- Poisoned pipelines: Security researcher explores attack methods in CI environments
- Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
- GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
- Report: Software supply chain attacks increased 300% in 2021
- Critical vulnerability discovered in popular CI/CD framework
- Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments
- New Attacks on Kubernetes via Misconfigured Argo Workflows
- Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
- Ransomware attacks on GitHub, Bitbucket, and GitLab – what you should know
- Compromising CI/CD Pipelines with Leaked Credentials
Your contributions are always welcome.
