CI/CD Security

🔥 Vibe Prompt

"Harden CI/CD pipeline: signed commits, SBOM, dependency scanning, artifact signing."

Supply Chain Threats

1. Compromised dependency (e.g., event-stream, log4j)
2. Malicious commit from insider
3. CI/CD credential leakage
4. Build artifact tampering
5. Registry compromise

Signed Commits

# Generate GPG key
brew install gpg
gpg --full-generate-key

# Configure Git
git config --global user.signingkey <KEY>
git config --global commit.gpgsign true

# Sign commits
git commit -S -m "feat: add auth module"

# Verify
git log --show-signature

# GitHub: Settings → SSH and GPG keys → Add GPG key
# Then: Require signed commits in branch protection

Software Bill of Materials (SBOM)

# Generate SBOM with Syft
syft myapp:latest -o spdx-json > sbom.spdx.json

# Scan with Grype
grype sbom:sbom.spdx.json

# Generate in CI
on: push
jobs:
  sbom:
    steps:
      - uses: anchore/sbom-action@v0
        with:
          path: ./
          format: spdx-json

Dependency Scanning

# GitHub Dependabot config
alerts:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: daily
    open-pull-requests-limit: 10

# Snyk / OWASP Dependency-Check / Renovate

Artifact Signing (Cosign)

# Generate key pair
cosign generate-key-pair

# Sign container image
cosign sign --key cosign.key myapp:latest

# Verify
cosign verify --key cosign.pub myapp:latest

# Verify with keyless (GitHub OIDC)
cosign sign myapp:latest
cosign verify myapp:latest

CI/CD Hardening Checklist

| Practice | Tool | |----------|------| | Signed commits | GPG | | SBOM generation | Syft | | Dependency scan | Dependabot, Snyk | | Artifact signing | Cosign | | Secret scanning | GitLeaks | | SAST | Semgrep, SonarQube | | DAST | OWASP ZAP | | Image scan | Trivy | | Harden runner | GitHub hosted (ephemeral) | | Least privilege | OIDC (no static creds) |

OIDC in CI/CD (No Static Secrets)

# GitHub Actions with AWS OIDC
jobs:
  deploy:
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456:role/github-deploy
          aws-region: us-west-2
      # Now authenticated without any secrets!

Best Practices

  • No secrets in CI/CD variables (use OIDC)
  • Scan all dependencies (automated PRs)
  • Sign all artifacts
  • Use ephemeral runners (not self-hosted)
  • Pin action versions by SHA (not tag)
  • Enforce signed commits on main branch
  • Generate SBOM for every release
  • Scan images before registry push


CI/CD 管線是駭客的新目標

現代軟體開發離不開 CI/CD——自動化建置、測試、部署。但這也讓 CI/CD 管線本身變成駭客的攻擊目標:如果攻擊者控制了你的 CI/CD 管線,他就能在每次部署時植入惡意程式碼。

CI/CD 管線的安全威脅

| 攻擊面 | 風險 | 防護方式 | |:------|:----|:--------| | GitHub Actions Token | Action 被竄改,竊取部署金鑰 | 使用 OIDC 代替靜態 Token | | 第三方 Action | 惡意的 GitHub Action 偷取資料 | 鎖定版本(@v1.2.3 而非 @v1) | | Artifact 汙染 | 建置過程中被植入後門 | 簽署 Artifact + 驗證完整性 | | Secret 洩漏 | CI 日誌印出了 API Key | 使用 Secret Scanner + 禁止日誌輸出 Secret | | 依賴替換 | typosquatting 套件被安裝 | 鎖定依賴版本 + SCA 掃描 |

安全的 CI/CD 檢查清單

  • [ ] CI/CD 環境使用 OIDC 而非靜態憑證
  • [ ] 所有外部 Action 鎖定 Commit SHA 而非版本標籤
  • [ ] CI 日誌自動遮罩 Secret 輸出
  • [ ] 合併 PR 前要求通過所有安全掃描
  • [ ] 部署金鑰有自動輪換機制

下一章預告:SAST 靜態分析

CI/CD 安全防護建立了安全的部署流程。下一章將進入第一個安全掃描工具——SAST(靜態應用程式安全測試),在程式碼編譯階段就找出安全漏洞。

會員專屬免費教學

本章節為註冊會員專屬的免費開放內容!請先登入或註冊會員,即可立即解鎖閱讀。

立即登入 / 註冊