awesome-cicd-security

A curated list of awesome CI CD security resources

521 stars

11 watching

40 forks

last commit: 4 months ago

Awesome CI/CD Security / Books
Advanced Infrastructure Penetration Testing
Awesome CI/CD Security / Guidelines
Defending Continuous Integration/Continuous Delivery (CI/CD) Environment from CISA & NSA
Awesome CI/CD Security / Blogs / General
Top 10 CI/CD Security Risks	3	over 2 years ago
Continuous Delivery 3.0 Maturity Model (CD3M)
Visualizing CI/CD from an attacker’s perspective
The Anatomy of an Attack Against a Cloud Supply Pipeline
When Supply-Chain Attacks Meet CI/CD Infrastructures
CI/CD Supply Chain Attacks for Data Exfiltration or Cloud Account Takeover
Detecting Malicious Activity in CI/CD Pipeline with Tracee
Let’s Hack a Pipeline: Argument Injection
Let’s Hack a Pipeline: Stealing Another Repo
Let’s Hack a Pipeline: Shared Infrastructure
Poorly Configured CI/CD Systems Can Be A Backdoor Into Your Infrastructure
Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 1
Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2
Defending software build pipelines from malicious attack
Cloud Native Best Practices: Security Policies in CI/CD Pipelines
Awesome CI/CD Security / Blogs / GitLab
Abusing GitLab Runners
Critical GitLab vulnerability could allow attackers to steal runner registration tokens
Understanding GitLab's Security Threats and Strengthening Your Preparedness
Securing GitLab CI pipelines with Sysbox
GitLab - Security for self-managed runners
Awesome CI/CD Security / Blogs / GitHub Actions
Stealing arbitrary GitHub Actions secrets
Exploiting GitHub Actions on open source projects
GitHub Action Runners Analyzing the Environment and Security in Action
What the fork? Imposter commits in GitHub Actions and CI/CD
The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
Long Live the Pwn Request: Hacking Microsoft GitHub Repositories and More
One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images
TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack
Self-hosted runner security
Automatically Secure Your CI/CD Pipelines Using Tracee GitHub Action
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks
Github Actions Security Best Practices
Security hardening for GitHub Actions
Awesome CI/CD Security / Blogs / Jenkins
Attacking Jenkins
Attacking Jenkins with Shared Libraries
Reflections on trusting plugins: Backdooring Jenkins builds
Securing Jenkins
How to Secure Jenkins Pipelines without the hassle
Awesome CI/CD Security / Blogs / ArgoCD
ArgoCD SSRF
Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller
Six Critical Blindspots While Securing Argo CD
Security Considerations
Argo CD Security Practices
Awesome CI/CD Security / Videos
Attacking Development Pipelines For Actual Profit
Exploiting Continuous Integration (CI) and Automated Build systems
Continuous Intrusion: Why CI Tools Are An Attacker's Best Friends
OMGCICD - From Intern to Production by: Denis Andzakovic
Attacking Argo CD with Argo CD (and then Defending) - Michael Crenshaw, Intuit
Challenges to Securing CI/CD Pipelines
How to Build a Compromise Resilient CI/CD
Awesome CI/CD Security / Repositories
Threat Matrix for CI/CD Pipeline	733	3 months ago
Jenkins Attack Framework	554	over 3 years ago
pwn_jenkins	1,948	3 months ago
Awesome CI/CD Security / Tools
Gato	539	about 2 months ago	A tool that helps blue teamers and offensive security practitioners find weaknesses in GitHub organization's public and private repositories
clank	21	26 days ago	Simple tool that allows you to detect imposter commits in GitHub Actions workflows
legitify	760	11 days ago	Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
poutine	209	15 days ago	A security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository
Harden-Runner	598	10 days ago	Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
Cimon	84	26 days ago	Runtime security solution for your CI/CD pipeline
Raven	611	about 1 month ago	A powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database
Awesome CI/CD Security / Playground
CI/CDon't
CI/CD Goat	1,919	3 months ago
GitHub Actions Goat	433	10 days ago
Awesome CI/CD Security / Cases
10 real-world stories of how we’ve compromised CI/CD pipelines
CI/CD pipeline attacks: A growing threat to enterprise security
Poisoned pipelines: Security researcher explores attack methods in CI environments
Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
Report: Software supply chain attacks increased 300% in 2021
Critical vulnerability discovered in popular CI/CD framework
Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments
New Attacks on Kubernetes via Misconfigured Argo Workflows
Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
Ransomware attacks on GitHub, Bitbucket, and GitLab – what you should know
Compromising CI/CD Pipelines with Leaked Credentials

awesome-cicd-security

Awesome CI/CD Security / Books

Awesome CI/CD Security / Guidelines

Awesome CI/CD Security / Blogs / General

Awesome CI/CD Security / Blogs / GitLab

Awesome CI/CD Security / Blogs / GitHub Actions

Awesome CI/CD Security / Blogs / Jenkins

Awesome CI/CD Security / Blogs / ArgoCD

Awesome CI/CD Security / Videos

Awesome CI/CD Security / Repositories

Awesome CI/CD Security / Tools

Awesome CI/CD Security / Playground

Awesome CI/CD Security / Cases