CI/CD Security
๐ฅ Vibe Prompt
"Harden CI/CD pipeline: signed commits, SBOM, dependency scanning, artifact signing."
Supply Chain Threats
1. Compromised dependency (e.g., event-stream, log4j)
2. Malicious commit from insider
3. CI/CD credential leakage
4. Build artifact tampering
5. Registry compromise
Signed Commits
# Generate GPG key
brew install gpg
gpg --full-generate-key
# Configure Git
git config --global user.signingkey <KEY>
git config --global commit.gpgsign true
# Sign commits
git commit -S -m "feat: add auth module"
# Verify
git log --show-signature
# GitHub: Settings โ SSH and GPG keys โ Add GPG key
# Then: Require signed commits in branch protection
Software Bill of Materials (SBOM)
# Generate SBOM with Syft
syft myapp:latest -o spdx-json > sbom.spdx.json
# Scan with Grype
grype sbom:sbom.spdx.json
# Generate in CI
on: push
jobs:
sbom:
steps:
- uses: anchore/sbom-action@v0
with:
path: ./
format: spdx-json
Dependency Scanning
# GitHub Dependabot config
alerts:
- package-ecosystem: npm
directory: /
schedule:
interval: daily
open-pull-requests-limit: 10
# Snyk / OWASP Dependency-Check / Renovate
Artifact Signing (Cosign)
# Generate key pair
cosign generate-key-pair
# Sign container image
cosign sign --key cosign.key myapp:latest
# Verify
cosign verify --key cosign.pub myapp:latest
# Verify with keyless (GitHub OIDC)
cosign sign myapp:latest
cosign verify myapp:latest
CI/CD Hardening Checklist
| Practice | Tool | |----------|------| | Signed commits | GPG | | SBOM generation | Syft | | Dependency scan | Dependabot, Snyk | | Artifact signing | Cosign | | Secret scanning | GitLeaks | | SAST | Semgrep, SonarQube | | DAST | OWASP ZAP | | Image scan | Trivy | | Harden runner | GitHub hosted (ephemeral) | | Least privilege | OIDC (no static creds) |
OIDC in CI/CD (No Static Secrets)
# GitHub Actions with AWS OIDC
jobs:
deploy:
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456:role/github-deploy
aws-region: us-west-2
# Now authenticated without any secrets!
Best Practices
- No secrets in CI/CD variables (use OIDC)
- Scan all dependencies (automated PRs)
- Sign all artifacts
- Use ephemeral runners (not self-hosted)
- Pin action versions by SHA (not tag)
- Enforce signed commits on main branch
- Generate SBOM for every release
- Scan images before registry push