Awesome CI/CD Security

List of awesome resources about CI/CD security included books, blogs, videos, tools and cases.

Table of Contents

• Books
• Guidelines
• Blogs
  • General
  • GitLab
  • GitHub Actions
  • Jenkins
  • ArgoCD
• Videos
• Repositories
• Tools
• Playground
• Cases

Books

• Advanced Infrastructure Penetration Testing

Guidelines

• Defending Continuous Integration/Continuous Delivery (CI/CD) Environment from CISA & NSA

Blogs

General

• Top 10 CI/CD Security Risks
• Continuous Delivery 3.0 Maturity Model (CD3M)
• Visualizing CI/CD from an attacker’s perspective
• The Anatomy of an Attack Against a Cloud Supply Pipeline
• When Supply-Chain Attacks Meet CI/CD Infrastructures
• CI/CD Supply Chain Attacks for Data Exfiltration or Cloud Account Takeover
• Detecting Malicious Activity in CI/CD Pipeline with Tracee
• Let’s Hack a Pipeline: Argument Injection
• Let’s Hack a Pipeline: Stealing Another Repo
• Let’s Hack a Pipeline: Shared Infrastructure
• Poorly Configured CI/CD Systems Can Be A Backdoor Into Your Infrastructure
• Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 1
• Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2
• Defending software build pipelines from malicious attack
• Cloud Native Best Practices: Security Policies in CI/CD Pipelines
• CI/CD secrets extraction, tips and tricks

Azure DevOps Server

• Azure DevOps server supply-chain attack tree (map, Attack surface, threat modeling)

GitLab

• Abusing GitLab Runners
• Critical GitLab vulnerability could allow attackers to steal runner registration tokens
• Understanding GitLab's Security Threats and Strengthening Your Preparedness
• Securing GitLab CI pipelines with Sysbox
• GitLab - Security for self-managed runners

GitHub Actions

• Stealing arbitrary GitHub Actions secrets
• Exploiting GitHub Actions on open source projects
• GitHub Action Runners Analyzing the Environment and Security in Action
• What the fork? Imposter commits in GitHub Actions and CI/CD
• The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
• Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
• Long Live the Pwn Request: Hacking Microsoft GitHub Repositories and More
• One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images
• TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack
• Self-hosted runner security
• Automatically Secure Your CI/CD Pipelines Using Tracee GitHub Action
• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
• Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
• Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks
• Github Actions Security Best Practices
• Security hardening for GitHub Actions
• GitHub Actions exploitation: introduction
• GitHub Actions exploitation: untrusted input
• GitHub Actions exploitation: repo jacking and environment manipulation
• GitHub Actions exploitation: self hosted runners
• GitHub Actions exploitation: Dependabot
• Hijacking GitHub runners to compromise the organization

Jenkins

• Attacking Jenkins
• Attacking Jenkins with Shared Libraries
• Reflections on trusting plugins: Backdooring Jenkins builds
• Securing Jenkins
• How to Secure Jenkins Pipelines without the hassle

ArgoCD

• ArgoCD SSRF
• Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller
• Six Critical Blindspots While Securing Argo CD
• Security Considerations
• Argo CD Security Practices

Videos

• Attacking Development Pipelines For Actual Profit
• Exploiting Continuous Integration (CI) and Automated Build systems
• Continuous Intrusion: Why CI Tools Are An Attacker's Best Friends
• OMGCICD - From Intern to Production by: Denis Andzakovic
• Attacking Argo CD with Argo CD (and then Defending) - Michael Crenshaw, Intuit
• Challenges to Securing CI/CD Pipelines
• How to Build a Compromise Resilient CI/CD

Repositories

• Threat Matrix for CI/CD Pipeline
• Jenkins Attack Framework
• pwn_jenkins

Tools

• Gato - A tool that helps blue teamers and offensive security practitioners find weaknesses in GitHub organization's public and private repositories.
• clank - Simple tool that allows you to detect imposter commits in GitHub Actions workflows.
• legitify - Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets.
• poutine - A security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository.
• Harden-Runner - Network egress filtering and runtime security for GitHub-hosted and self-hosted runners.
• Cimon - Runtime security solution for your CI/CD pipeline.
• releaserun - CLI tool and GitHub Action that scans CI/CD pipeline dependencies for known CVEs, end-of-life versions, and deprecated packages across Node.js, Python, Go, Rust, and Docker. Catches vulnerable dependencies before they reach production.
• Raven - A powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database
• nord-stream - Nord Stream is a tool that allows you extract secrets stored inside CI/CD environments by deploying malicious pipelines.
• octoscan - Octoscan is a static vulnerability scanner for GitHub action workflows.
• segspec - Extracts network dependencies from application config files and generates Kubernetes NetworkPolicies. Diff mode enables CI gating to catch unauthorized network changes before deployment.
• gh-hijack-runner - A python script to create a fake GitHub runner and hijack pipeline jobs to leak CI/CD secrets.

Playground

• CI/CDon't
• CI/CD Goat
• GitHub Actions Goat

Cases

• 10 real-world stories of how we’ve compromised CI/CD pipelines
• CI/CD pipeline attacks: A growing threat to enterprise security
• Poisoned pipelines: Security researcher explores attack methods in CI environments
• Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
• GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
• Report: Software supply chain attacks increased 300% in 2021
• Critical vulnerability discovered in popular CI/CD framework
• Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments
• New Attacks on Kubernetes via Misconfigured Argo Workflows
• Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
• Ransomware attacks on GitHub, Bitbucket, and GitLab – what you should know
• Compromising CI/CD Pipelines with Leaked Credentials

Contributing

Your contributions are always welcome.

License