CI/CD Security

๐Ÿ”ฅ Vibe Prompt

"Harden CI/CD pipeline: signed commits, SBOM, dependency scanning, artifact signing."

Supply Chain Threats

1. Compromised dependency (e.g., event-stream, log4j)
2. Malicious commit from insider
3. CI/CD credential leakage
4. Build artifact tampering
5. Registry compromise

Signed Commits

# Generate GPG key
brew install gpg
gpg --full-generate-key

# Configure Git
git config --global user.signingkey <KEY>
git config --global commit.gpgsign true

# Sign commits
git commit -S -m "feat: add auth module"

# Verify
git log --show-signature

# GitHub: Settings โ†’ SSH and GPG keys โ†’ Add GPG key
# Then: Require signed commits in branch protection

Software Bill of Materials (SBOM)

# Generate SBOM with Syft
syft myapp:latest -o spdx-json > sbom.spdx.json

# Scan with Grype
grype sbom:sbom.spdx.json

# Generate in CI
on: push
jobs:
  sbom:
    steps:
      - uses: anchore/sbom-action@v0
        with:
          path: ./
          format: spdx-json

Dependency Scanning

# GitHub Dependabot config
alerts:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: daily
    open-pull-requests-limit: 10

# Snyk / OWASP Dependency-Check / Renovate

Artifact Signing (Cosign)

# Generate key pair
cosign generate-key-pair

# Sign container image
cosign sign --key cosign.key myapp:latest

# Verify
cosign verify --key cosign.pub myapp:latest

# Verify with keyless (GitHub OIDC)
cosign sign myapp:latest
cosign verify myapp:latest

CI/CD Hardening Checklist

| Practice | Tool | |----------|------| | Signed commits | GPG | | SBOM generation | Syft | | Dependency scan | Dependabot, Snyk | | Artifact signing | Cosign | | Secret scanning | GitLeaks | | SAST | Semgrep, SonarQube | | DAST | OWASP ZAP | | Image scan | Trivy | | Harden runner | GitHub hosted (ephemeral) | | Least privilege | OIDC (no static creds) |

OIDC in CI/CD (No Static Secrets)

# GitHub Actions with AWS OIDC
jobs:
  deploy:
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456:role/github-deploy
          aws-region: us-west-2
      # Now authenticated without any secrets!

Best Practices

  • No secrets in CI/CD variables (use OIDC)
  • Scan all dependencies (automated PRs)
  • Sign all artifacts
  • Use ephemeral runners (not self-hosted)
  • Pin action versions by SHA (not tag)
  • Enforce signed commits on main branch
  • Generate SBOM for every release
  • Scan images before registry push

Member Exclusive Free Tutorial

This chapter is free exclusive content for registered members! Please login or register to unlock immediately.

Login / Register Now