Automated CI/CD (continuous integration/continuous delivery) pipelines are used to speed up development. It is awesome to have triggers or scheduling that take your code, merge it, build it, test it, and ship it automatically. However, having been built for speed and ease of use means that most pipelines are not inherently built with security in mind. Since the pipelines usually need to have access to the internet to download dependencies, and to your various secrets to upload to your production environment, it means that once such a pipeline is compromised, the attacker has a wide range of options to disrupt your operation or exfiltrate information or secrets.

All of the stories presented in this article describe breaches in prominent CI/CD tools. The fact that most companies rely on such tools means that, like many other software supply chain attacks, all the bad actors need is to breach a single target to get a vast blast radius.

Leave a Reply

Your email address will not be published. Required fields are marked *