CI/CD pipelines have become a high-value target for attackers because they have privileged access to source code, secrets, and production environments. A compromised pipeline can inject malicious code into builds, steal credentials, or deploy backdoored applications to production infrastructure.
Pipeline Security Controls
Secret management is the most critical aspect of pipeline security. Credentials should never be stored in source code repositories or pipeline configuration files. Instead, use dedicated secret management services like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault, with short-lived, dynamically generated credentials wherever possible.
Pipeline execution environments should be ephemeral and isolated. Each build should start from a clean state in an isolated container or VM, preventing one build from accessing artifacts or secrets from another. Self-hosted runners that persist between builds accumulate risk through cached credentials, leftover files, and potential contamination from previous executions.
Artifact integrity verification through code signing and provenance attestation ensures that only authorized builds produce deployable artifacts. Tools like Sigstore and in-toto provide frameworks for signing build artifacts and generating verifiable records of the build process, enabling downstream systems to reject artifacts that lack proper provenance.