CI/CD Pipeline Security Checklist

GitHub Actions, GitLab CI, Jenkins, CircleCI, Buildkite, ArgoCD, Tekton - large orgs have several. List each with version, owner, and trust boundary.

Container registries (ECR, GCR, GHCR, Docker Hub), package registries (npm, PyPI, Maven, NuGet), and binary stores (S3, Artifactory). Each has its own trust model.

GitHub Actions OIDC -> AWS / GCP / Azure roles is a 2024-25 attacker-favourite. Capture the full trust policy of each cloud role so misconfig is auditable.

Fork-PR auto-execution is the most common path to CI compromise. Note pull_request vs pull_request_target usage and label-based gating.

Self-hosted runners reuse the host across jobs unless explicitly ephemeral. Capture runner labels, node OS, and reset policy.

Per-repo via the GitHub/GitLab API. Look for missing required reviews, "stale review dismissal off", and "allow admin bypass" flags.

Workflow-level secrets, environment secrets, repo secrets, organization secrets, and runtime KMS calls. The blast radius of a poisoned pipeline equals this set.

Test/staging/prod deploys often share keys. Confirm separation, audit which stages can write to prod, and document break-glass paths.

CI tests can accidentally publish packages or push tags. Get explicit allow-list of safe test repos, sandbox tenants, and rollback procedure.

Establish baseline: SLSA level claimed, SBOMs generated (CycloneDX/SPDX), signing (cosign/Sigstore). Findings get scored against this baseline.

CICD-SEC-1 (insufficient flow control). Confirm that no role can push to main without a PR, that force-push is disabled, and that admin bypass requires audit.

CICD-SEC-6 (insufficient credential hygiene). Use trufflehog / gitleaks against the full history - rotated secrets that still exist in the cloud are still live.

pull_request_target runs with the upstream`s secrets and a checkout of the fork`s code. Demonstrate exfil with a benign canary (e.g. echo $GITHUB_TOKEN | head).

workflows triggered by issue_comment or labeled events run with the trigger`s secrets. A maintainer-comment trigger that runs untrusted-code is a soft escalation.

CICD-SEC-3 (dependency chain abuse). Pin every Action by SHA, never by tag. tj-actions/changed-files (March 2025 supply-chain compromise) is the canonical case.

CICD-SEC-4. CODEOWNERS files that assign critical paths to bots, deactivated users, or self-approving teams defeat the review control.

Audit org/repo collaborator lists for accounts with no activity in 90 days. Each is a credential-stuffing hand-grenade.

Inbound webhooks (Slack, Sentry, deploy hooks) often have shared secrets that never rotate. Confirm HMAC verification and rotation cadence.

Required-signed-commits is a strong defence against compromised PAT pushes. Confirm whether enforcement is on for protected branches.

Third-party GitHub Apps often hold contents:write or workflows:write. Each is an alternate path to source-stage compromise. Audit and cull.

CICD-SEC-4 (PPE). If a fork PR can change .github/workflows/*.yml and the upstream auto-runs it, the attacker has remote code execution on the runner.

Publish (or simulate publishing) a higher-version public package that matches an internal-only name. CICD-SEC-3 / Birsan-style.

PRs that modify package-lock.json to point at a malicious tarball, or change resolved-from URLs to attacker registries. Often slips by reviewers.

CICD-SEC-2. Self-hosted runners labelled "default" or "ubuntu" can be hijacked by a fork PR that requests them. Confirm runner-group restrictions.

Classic GitHub Actions bug: `run: echo "${{ github.event.pull_request.title }}"`. PR title becomes shell. Audit all expressions in run blocks.

Self-hosted runners must reset filesystem and Docker state between jobs. Otherwise jobs leak SSH keys, cookies, and cached creds across tenants.

GitHub Actions cache, Bazel remote cache, and S3-backed build caches can be written by feature branches and read by main, enabling injection.

CICD-SEC-7. Confirm Trivy / Grype / Snyk runs in the pipeline AND that the build fails on critical findings (not just produces an artifact).

Unsigned artifacts mean the deploy stage trusts whoever wrote to the registry. Confirm cosign sign + verify is wired up and policy-enforced.

in-toto / GitHub Actions attestations record exactly what produced the artifact. Verify the provenance attaches to the registry image and is checked at deploy.

CICD-SEC-7 (insecure system configuration). Deploy roles often hold *:* or admin scopes "for now". Diff against the actual API calls during a deploy run.

CICD-SEC-8. AWS IAM roles trusted with `sub: repo:OWNER/*` are exploitable from any repo in the org. Pin to repo + branch + environment.

If prod deploys do not enforce cosign signatures or admission policy, an attacker with registry-write can swap the image tag and ship malware.

GitHub Environments + Required Reviewers gate prod secrets. Confirm enforcement and that bot accounts cannot self-approve.

Most deploy stages still have one terraform.tfvars or values.yaml committed with creds. Re-scan deploy paths even if the source repo was clean.

Kyverno or OPA Gatekeeper rules requiring cosign signature + provenance close the loop on the supply chain. Confirm policy mode is "enforce", not "audit".

Deploy scripts that curl URLs from config can be steered to 169.254.169.254 to harvest cloud creds. Audit any URL-driven step.

On deploy compromise, rollback must be possible without trusting the same pipeline. Confirm a break-glass rollback path and immutable audit logs.

Terraform state files often contain plaintext credentials. Confirm encrypted backend (S3 + KMS) and that PR-checks do not echo plan output.

Pull-time SBOM-and-provenance verification (e.g. via Sigstore policy-controller) ensures the deploy-stage trusts what the build-stage attested.

Diagram every identity (PAT, App, OIDC, deploy key) -> the secrets it can read -> the systems it can write. This is the deliverable execs care about.

CICD-SEC-1 through CICD-SEC-10 are the procurement-recognised taxonomy. Tagging makes exec summaries scan-friendly.

Most teams claim SLSA level by aspiration, not measurement. Score actual signing, build-isolation, and provenance attestation against L1/L2/L3 criteria.

Where in the chain is signing or provenance missing? Each gap is a place an attacker can swap an artifact unnoticed.

Per Palo Alto Prisma Cloud and GitHub guidance: OIDC + workload-identity + short-lived tokens beats long-lived service-account keys every time.

GitHub Actions Larger Runners + ephemeral self-hosted runners + fork-PR isolation. Specific config snippet should be included in the report.

Fixed-tag pinning (`uses: foo/bar@v3`) is the tj-actions failure mode. Recommend SHA pinning + dependabot for upgrades.

Secrets stored in CI > 1 year should be rotated. Recommend a secret-broker pattern (HashiCorp Vault / AWS Secrets Manager dynamic creds).

Quantify: how many systems would compromise of the worst-case CI identity reach? This is the headline number for board reporting.

CI/CD configs drift weekly. Bake in a 90-day re-test or a continuous CSPM-style scan of pipeline config.