CI/CD Security
🔥 Vibe Prompt
"Harden CI/CD pipeline: signed commits, SBOM, dependency scanning, artifact signing."
Supply Chain Threats
1. Compromised dependency (e.g., event-stream, log4j)
2. Malicious commit from insider
3. CI/CD credential leakage
4. Build artifact tampering
5. Registry compromise
Signed Commits
# Generate GPG key
brew install gpg
gpg --full-generate-key
# Configure Git
git config --global user.signingkey <KEY>
git config --global commit.gpgsign true
# Sign commits
git commit -S -m "feat: add auth module"
# Verify
git log --show-signature
# GitHub: Settings → SSH and GPG keys → Add GPG key
# Then: Require signed commits in branch protection
Software Bill of Materials (SBOM)
# Generate SBOM with Syft
syft myapp:latest -o spdx-json > sbom.spdx.json
# Scan with Grype
grype sbom:sbom.spdx.json
# Generate in CI
on: push
jobs:
sbom:
steps:
- uses: anchore/sbom-action@v0
with:
path: ./
format: spdx-json
Dependency Scanning
# GitHub Dependabot config
alerts:
- package-ecosystem: npm
directory: /
schedule:
interval: daily
open-pull-requests-limit: 10
# Snyk / OWASP Dependency-Check / Renovate
Artifact Signing (Cosign)
# Generate key pair
cosign generate-key-pair
# Sign container image
cosign sign --key cosign.key myapp:latest
# Verify
cosign verify --key cosign.pub myapp:latest
# Verify with keyless (GitHub OIDC)
cosign sign myapp:latest
cosign verify myapp:latest
CI/CD Hardening Checklist
| Practice | Tool | |----------|------| | Signed commits | GPG | | SBOM generation | Syft | | Dependency scan | Dependabot, Snyk | | Artifact signing | Cosign | | Secret scanning | GitLeaks | | SAST | Semgrep, SonarQube | | DAST | OWASP ZAP | | Image scan | Trivy | | Harden runner | GitHub hosted (ephemeral) | | Least privilege | OIDC (no static creds) |
OIDC in CI/CD (No Static Secrets)
# GitHub Actions with AWS OIDC
jobs:
deploy:
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456:role/github-deploy
aws-region: us-west-2
# Now authenticated without any secrets!
Best Practices
- No secrets in CI/CD variables (use OIDC)
- Scan all dependencies (automated PRs)
- Sign all artifacts
- Use ephemeral runners (not self-hosted)
- Pin action versions by SHA (not tag)
- Enforce signed commits on main branch
- Generate SBOM for every release
- Scan images before registry push
CI/CD 管線是駭客的新目標
現代軟體開發離不開 CI/CD——自動化建置、測試、部署。但這也讓 CI/CD 管線本身變成駭客的攻擊目標:如果攻擊者控制了你的 CI/CD 管線,他就能在每次部署時植入惡意程式碼。
CI/CD 管線的安全威脅
| 攻擊面 | 風險 | 防護方式 |
|:------|:----|:--------|
| GitHub Actions Token | Action 被竄改,竊取部署金鑰 | 使用 OIDC 代替靜態 Token |
| 第三方 Action | 惡意的 GitHub Action 偷取資料 | 鎖定版本(@v1.2.3 而非 @v1) |
| Artifact 汙染 | 建置過程中被植入後門 | 簽署 Artifact + 驗證完整性 |
| Secret 洩漏 | CI 日誌印出了 API Key | 使用 Secret Scanner + 禁止日誌輸出 Secret |
| 依賴替換 | typosquatting 套件被安裝 | 鎖定依賴版本 + SCA 掃描 |
安全的 CI/CD 檢查清單
- [ ] CI/CD 環境使用 OIDC 而非靜態憑證
- [ ] 所有外部 Action 鎖定 Commit SHA 而非版本標籤
- [ ] CI 日誌自動遮罩 Secret 輸出
- [ ] 合併 PR 前要求通過所有安全掃描
- [ ] 部署金鑰有自動輪換機制
下一章預告:SAST 靜態分析
CI/CD 安全防護建立了安全的部署流程。下一章將進入第一個安全掃描工具——SAST(靜態應用程式安全測試),在程式碼編譯階段就找出安全漏洞。