DevOps Advanced
CI/CD Security — Pipeline Security¶
CI/CDSecurityDevSecOpsSupply Chain 5 min read
Security best practices for CI/CD pipeline. Secret management, supply chain security and SLSA.
Secret Management¶
- Never secrets in code or env variables in CI config
- Use native secret stores: GitHub Secrets, GitLab CI Variables (protected + masked)
- For advanced: HashiCorp Vault, AWS Secrets Manager
- Rotate secrets regularly
- Audit access
Supply Chain Security¶
# Dependency scanning
- trivy fs . --scanners vuln
- npm audit / pip-audit / govulncheck
# SBOM generation
- syft . -o spdx-json > sbom.json
# Image signing (Cosign)
cosign sign --key cosign.key registry.example.com/app:v1.0
cosign verify --key cosign.pub registry.example.com/app:v1.0
# SLSA provenance
- slsa-verifier verify-artifact app.tar.gz \
--provenance-path provenance.json \
--source-uri github.com/org/app
Pipeline Hardening¶
- Least privilege: CI runner has only necessary permissions
- Ephemeral runners: clean state for each job
- Pin actions/images: SHA instead of tags (
actions/checkout@abc123) - Branch protection: require reviews, status checks
- Audit log: who ran what when
Summary¶
CI/CD pipeline is critical attack vector. Secret management, supply chain security and pipeline hardening are minimum for production environment.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.