awesome-cicd-security

CI/CD security guides

A curated list of resources on securing Continuous Integration/Continuous Delivery pipelines

books A curated list of awesome CI CD security resources

GitHub

530 stars
11 watching
40 forks
last commit: 5 months ago

Awesome CI/CD Security / Books
Advanced Infrastructure Penetration Testing

Awesome CI/CD Security / Guidelines
Defending Continuous Integration/Continuous Delivery (CI/CD) Environment from CISA & NSA

Awesome CI/CD Security / Blogs / General
Top 10 CI/CD Security Risks 3 about 3 years ago
Continuous Delivery 3.0 Maturity Model (CD3M)
Visualizing CI/CD from an attacker’s perspective
The Anatomy of an Attack Against a Cloud Supply Pipeline
When Supply-Chain Attacks Meet CI/CD Infrastructures
CI/CD Supply Chain Attacks for Data Exfiltration or Cloud Account Takeover
Detecting Malicious Activity in CI/CD Pipeline with Tracee
Let’s Hack a Pipeline: Argument Injection
Let’s Hack a Pipeline: Stealing Another Repo
Let’s Hack a Pipeline: Shared Infrastructure
Poorly Configured CI/CD Systems Can Be A Backdoor Into Your Infrastructure
Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 1
Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2
Defending software build pipelines from malicious attack
Cloud Native Best Practices: Security Policies in CI/CD Pipelines

Awesome CI/CD Security / Blogs / Azure DevOps Server
Azure DevOps server supply-chain attack tree (map, Attack surface, threat modeling) 7 about 2 years ago

Awesome CI/CD Security / Blogs / GitLab
Abusing GitLab Runners
Critical GitLab vulnerability could allow attackers to steal runner registration tokens
Understanding GitLab's Security Threats and Strengthening Your Preparedness
Securing GitLab CI pipelines with Sysbox
GitLab - Security for self-managed runners

Awesome CI/CD Security / Blogs / GitHub Actions
Stealing arbitrary GitHub Actions secrets
Exploiting GitHub Actions on open source projects
GitHub Action Runners Analyzing the Environment and Security in Action
What the fork? Imposter commits in GitHub Actions and CI/CD
The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
Long Live the Pwn Request: Hacking Microsoft GitHub Repositories and More
One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images
TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack
Self-hosted runner security
Automatically Secure Your CI/CD Pipelines Using Tracee GitHub Action
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks
Github Actions Security Best Practices
Security hardening for GitHub Actions

Awesome CI/CD Security / Blogs / Jenkins
Attacking Jenkins
Attacking Jenkins with Shared Libraries
Reflections on trusting plugins: Backdooring Jenkins builds
Securing Jenkins
How to Secure Jenkins Pipelines without the hassle

Awesome CI/CD Security / Blogs / ArgoCD
ArgoCD SSRF
Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller
Six Critical Blindspots While Securing Argo CD
Security Considerations
Argo CD Security Practices

Awesome CI/CD Security / Videos
Attacking Development Pipelines For Actual Profit
Exploiting Continuous Integration (CI) and Automated Build systems
Continuous Intrusion: Why CI Tools Are An Attacker's Best Friends
OMGCICD - From Intern to Production by: Denis Andzakovic
Attacking Argo CD with Argo CD (and then Defending) - Michael Crenshaw, Intuit
Challenges to Securing CI/CD Pipelines
How to Build a Compromise Resilient CI/CD

Awesome CI/CD Security / Repositories
Threat Matrix for CI/CD Pipeline 740 9 months ago
Jenkins Attack Framework 557 almost 4 years ago
pwn_jenkins 1,971 9 months ago

Awesome CI/CD Security / Tools
Gato 573 8 months ago A tool that helps blue teamers and offensive security practitioners find weaknesses in GitHub organization's public and private repositories
clank 23 4 months ago Simple tool that allows you to detect imposter commits in GitHub Actions workflows
legitify 782 5 months ago Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
poutine 239 4 months ago A security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository
Harden-Runner 637 5 months ago Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
Cimon 91 7 months ago Runtime security solution for your CI/CD pipeline
Raven 634 6 months ago A powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database

Awesome CI/CD Security / Playground
CI/CDon't
CI/CD Goat 1,967 9 months ago
GitHub Actions Goat 445 4 months ago

Awesome CI/CD Security / Cases
10 real-world stories of how we’ve compromised CI/CD pipelines
CI/CD pipeline attacks: A growing threat to enterprise security
Poisoned pipelines: Security researcher explores attack methods in CI environments
Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
Report: Software supply chain attacks increased 300% in 2021
Critical vulnerability discovered in popular CI/CD framework
Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments
New Attacks on Kubernetes via Misconfigured Argo Workflows
Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
Ransomware attacks on GitHub, Bitbucket, and GitLab – what you should know
Compromising CI/CD Pipelines with Leaked Credentials