Securing the CI Pipeline

View the original Working Session content


This Working Session took an in-depth look at the security risks inherent to the CI Pipeline, and what could be done to mitigate these risks.

Synopsis and Takeaways

Why do we need to secure the CI Pipeline?

  • The CI pipeline is huge,consisting of multiple hosts/machines with multiple points of access and processes.
  • The pipeline contains high value targets for attackers, such as:
    • Access to compilers
    • Config files
    • Secrets, keys, passwords. Developers often store keys and other secrets in spreadsheets, config files, Git repositories
  • Assets accessible on the pipeline can be used to escalate privileges
  • Several mechanisms for taking advantage of the above were demonstrated.
  • Although risks are lower in a pipeline that fully implements security standards, pipelines practicing less than ideal security hygiene are not uncommon.

Categories of risks identified:

  • Misconfigurations
  • Secret management
  • Environment security
  • Developer machines
  • Access management

What can you do?

  • Enable Authentication and Two Factor Authentication methods.
  • Check for misconfigurations:
    • hooks
    • secret variables (CI, prod, VCS, artefacts)
    • VCS security
    • Docker configuration/registry
    • Artefact hardening
  • Get your code review right
  • Implement secure secrets management
  • Auditing and monitoring CI/CD servers
  • Harden CI boxes
  • Protect the CI master machines
  • Check registries/artefact storage
  • Secure developer’s machines
  • Consider using secret management and automated access provision tools (see below)
  • Use Docker best practices for security

In general, the security of the CI/CD pipelines should be considered as important as your production security!

Tools for Securing the Pipeline, covered in session:

  • Automated access management/provision:
  • Secret management and automated access provision

A tool like Hashicorp’s Vault can help by providing:

  • Secret management
  • Automated and on demand access provision. This provides you with processes that lets you control who has access, how long they have access for (limited time to live)
  • Whitelist IPs
  • Two Factor Authentication, with team based authentication available

Other Miscellaneous Threats mentioned:

  • npm typosquatting
  • Logs can be a risk (eg. recent GitHub log incident)
  • Docker image integrity and registry mis-configurations


Additional/External References

Session organiser(s)

Imran Mohammed A Imran Mohammed A , Francois Raynaud Francois Raynaud


Arne Zismer Arne Zismer , Franziska Buehler Franziska Buehler , Abhinav Sejpal Abhinav Sejpal , Alina Radu Alina Radu , Clara Anel Mansilla Clara Anel Mansilla , Claudio Camerino Claudio Camerino , Dominik de Smit Dominik de Smit , Gabor Pek Gabor Pek , Imran Chaudhari Imran Chaudhari , Luis Saiz Luis Saiz , Mario Platt Mario Platt , Matt Pendlebury Matt Pendlebury , Peter Turczak Peter Turczak , Sotiraki Sima Sotiraki Sima , Sven Schleier Sven Schleier Aaron Lane Aaron Lane , Abdullah Garcia Abdullah Garcia , Abhi Raj Abhi Raj , Andrew Martin Andrew Martin , Barbara Schachner Barbara Schachner , Domenico Malorni Domenico Malorni , Ernesto Bethencourt Ernesto Bethencourt , Guy Jarvis Guy Jarvis , Harmeet Singh Harmeet Singh , Lubo Vikev Lubo Vikev , Madhu Akula Madhu Akula , Mohanish Mahajan Mohanish Mahajan , Mustaqiim Muhar Mustaqiim Muhar , Paul Cutting Paul Cutting , Sergio Issi Sergio Issi , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vandana Verma Vandana Verma , Vinod Anandan Vinod Anandan

Attached materials: