Securing CI/CD Pipelines: The New Frontier of Software Supply Chain Security

by

The SolarWinds breach showed the world that compromising a CI/CD pipeline can be more devastating than attacking production systems. Supply chain attacks via CI/CD are now one of the top threat categories.

Why CI/CD Pipelines Are Attractive Targets

  • Access to production credentials and deployment secrets
  • Code going to thousands of customers
  • Often run with excessive permissions
  • Third-party Actions/plugins can be compromised

Real Attacks

# SolarWinds 2020: Attackers compromised Orion build system
# Inserted SUNBURST malware into legitimate updates
# 18,000+ organizations downloaded trojanized updates

# Codecov 2021: Modified Docker image in CI pipeline
# Exfiltrated environment variables (AWS keys, GitHub tokens)
# Thousands of companies had secrets stolen

Securing GitHub Actions

# 1. Pin actions to full commit SHA (not @v1):
# BAD: uses: actions/checkout@v4
# GOOD: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

# 2. Minimum permissions:
permissions:
  contents: read
  packages: write

# 3. Scan for secrets in pipeline:
- name: Scan for secrets
  uses: trufflesecurity/trufflehog@v3

Secrets Management: Use OIDC Instead of Long-Lived Keys

# GOOD: AWS OIDC - no hardcoded credentials needed:
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
    aws-region: us-east-1
    # GitHub gets temporary credentials via OIDC federation - no keys!

Dependency Security

# Scan dependencies for CVEs:
# Python:
pip install safety
safety check -r requirements.txt

# Node.js:
npm audit
npm audit fix

# Automated with Dependabot (.github/dependabot.yml):
version: 2
updates:
  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: weekly

SLSA Framework for Build Integrity

# SLSA = Supply-chain Levels for Software Artifacts
# Level 1: Build process documented
# Level 2: Signed build provenance
# Level 3: Hermetic, isolated build environment

# Verify artifact provenance:
slsa-verifier verify-artifact my-binary --provenance-path provenance.json --source-uri github.com/myorg/myrepo

Wrap Up

Your CI/CD pipeline needs protection equal to your production systems. Pin action versions to SHAs, use OIDC instead of long-lived credentials, scan every dependency, and implement SLSA provenance. Supply chain attacks succeed because these protections are missing.