CI/CD Security
Introduction
Continuous Integration and Continuous Deployment (CI/CD) pipelines automate the process of building, testing, and deploying software. While these pipelines greatly improve developer productivity and software quality, they also introduce new security risks. CI/CD Security focuses on protecting these automated workflows from vulnerabilities that could compromise your code, infrastructure, or deployment environments.
In this guide, we'll explore why securing your CI/CD pipeline is critical, common security vulnerabilities, and practical steps to implement robust security measures that protect your entire software delivery process.
Why CI/CD Security Matters
CI/CD pipelines typically have access to:
- Source code repositories
- Testing environments
- Production credentials
- Container registries
- Cloud resources
- Sensitive configuration data
Without proper security controls, your pipeline could become the perfect entry point for attackers to:
- Inject malicious code
- Steal secrets and credentials
- Compromise your production environment
- Disrupt your development process
Let's examine the key security concerns and how to address them.
CI/CD Pipeline Security Flow
The following diagram illustrates a typical CI/CD pipeline with security measures implemented at each stage:
Common CI/CD Security Vulnerabilities
1. Secrets Management Issues
Hard-coded secrets (passwords, API keys, tokens) in source code or configuration files represent one of the most common security risks.
Bad practice (avoid this):
yaml
# .github/workflows/deploy.yml
name: Deploy Application
on:
push:
branches: [ main ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Deploy to production
run: |
# NEVER do this!
AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
./deploy-script.sh
Secure approach:
yaml
# .github/workflows/deploy.yml
name: Deploy Application
on:
push:
branches: [ main ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Deploy to production
run: ./deploy-script.sh
2. Insufficient Access Controls
CI/CD pipelines often run with elevated privileges, making them attractive targets.
Best practices:
- Implement the principle of least privilege:
yaml
# Example of limited IAM policy for CI/CD in AWS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-app-deployment-bucket/*"
}
]
}
- Use separate credentials for different environments (dev, staging, production)
- Implement time-limited credentials when possible
3. Vulnerable Dependencies
Modern applications often depend on hundreds of open source components, which may contain vulnerabilities.
Solution: Dependency Scanning
Add automated dependency scanning to your CI/CD pipeline:
yaml
# Example GitHub workflow with dependency scanning
name: Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: 16
- name: Install dependencies
run: npm ci
- name: Run dependency vulnerability scan
run: npm audit --audit-level=high
- name: Run SAST scan
uses: github/codeql-action/analyze@v2
Implementing CI/CD Security: Step-by-Step Guide
Step 1: Secure Secrets Management
-
Use a secrets manager:
- GitHub Secrets
- HashiCorp Vault
- AWS Secrets Manager
- Azure Key Vault
-
Example integration with HashiCorp Vault:
yaml
# Example GitLab CI configuration with Vault
stages:
- deploy
deploy:
stage: deploy
image: hashicorp/vault:latest
script:
- export VAULT_ADDR="https://vault.example.com:8200"
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=my-role jwt=$CI_JOB_JWT)"
- export DB_PASSWORD="$(vault kv get -field=password secret/database/credentials)"
- ./deploy.sh
only:
- main
Step 2: Implement Pipeline Security Scanning
Integrate various security scanning tools into your pipeline:
- SAST (Static Application Security Testing)
yaml
# Example Jenkins pipeline with SAST
pipeline {
agent any
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Build') {
steps {
sh 'npm install'
sh 'npm run build'
}
}
stage('Security Scan') {
steps {
sh 'npm install -g sonarqube-scanner'
sh 'sonar-scanner \
-Dsonar.projectKey=my-project \
-Dsonar.sources=. \
-Dsonar.host.url=http://sonarqube:9000 \
-Dsonar.login=$SONAR_TOKEN'
}
}
}
}
- Container Image Scanning
yaml
# Example CircleCI config with Trivy container scanning
version: 2.1
jobs:
build-and-scan:
docker:
- image: cimg/base:2021.04
steps:
- checkout
- setup_remote_docker
- run:
name: Build Docker image
command: docker build -t myapp:latest .
- run:
name: Install Trivy
command: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- run:
name: Scan Docker image
command: |
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest
workflows:
main:
jobs:
- build-and-scan
Step 3: Secure Your Pipeline Configuration
- Pipeline-as-Code Security:
yaml
# Example GitHub workflow with protected configuration
name: Deployment Pipeline
on:
push:
branches: [ main ]
permissions:
id-token: write # Required for requesting the JWT
contents: read # Required for actions/checkout
jobs:
deploy:
runs-on: ubuntu-latest
environment: production # Ties this job to a protected environment
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.ref }}
fetch-depth: 0
# Validate that the configuration hasn't been tampered with
- name: Verify workflow integrity
run: |
HASH=$(git hash-object .github/workflows/deploy.yml)
EXPECTED="e7a6c84d5dd56a8c95a950fee8682110ab958a5a"
if [ "$HASH" != "$EXPECTED" ]; then
echo "Workflow file has been modified unexpectedly!"
exit 1
fi
- Sign Your Artifacts:
bash
# Example of signing a container image
#!/bin/bash
# Build the image
docker build -t myapp:latest .
# Sign the image using cosign
cosign sign --key cosign.key myapp:latest
# Verify the signature
cosign verify --key cosign.pub myapp:latest
Step 4: Implement Infrastructure as Code (IaC) Security
- Scan IaC templates for security issues:
yaml
# Example GitHub workflow with Checkov for IaC scanning
name: IaC Security Scan
on:
push:
paths:
- '**/*.tf'
- '**/*.yaml'
- '**/*.json'
jobs:
scan-iac:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Checkov scan
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ./terraform
framework: terraform
soft_fail: true
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: checkov-report
path: results.sarif
Step 5: Set Up Secure Deployment Practices
- Implement Deployment Gates:
yaml
# Example Azure DevOps Pipeline with deployment gates
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
stages:
- stage: Build
jobs:
- job: BuildJob
steps:
- script: echo "Building the application"
- script: echo "Running tests"
- stage: DeployToProduction
dependsOn: Build
condition: succeeded()
jobs:
- deployment: DeployApp
environment:
name: Production
# Deployment gates
gates:
- approver: [email protected]
- approver: [email protected]
strategy:
runOnce:
deploy:
steps:
- script: echo "Deploying to production"
- Use Immutable Infrastructure:
terraform
# Example Terraform configuration for immutable infrastructure
resource "aws_launch_template" "app_template" {
name_prefix = "app-"
image_id = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
user_data = base64encode(<<-EOF
#!/bin/bash
yum update -y
amazon-linux-extras install docker -y
systemctl start docker
docker pull ${var.container_image}:${var.container_tag}
docker run -d -p 80:80 ${var.container_image}:${var.container_tag}
EOF
)
lifecycle {
create_before_destroy = true
}
}
resource "aws_autoscaling_group" "app_asg" {
desired_capacity = 2
max_size = 5
min_size = 2
vpc_zone_identifier = var.subnet_ids
launch_template {
id = aws_launch_template.app_template.id
version = "$Latest"
}
lifecycle {
create_before_destroy = true
}
}
Real-World Implementation Examples
Example 1: Securing a Node.js Application CI/CD Pipeline
Let's implement a secure CI/CD pipeline for a Node.js application using GitHub Actions:
yaml
# .github/workflows/secure-ci-cd.yml
name: Secure CI/CD Pipeline
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: 16
cache: 'npm'
- name: Install dependencies
run: npm ci
# Check for secrets in code
- name: Check for hardcoded secrets
uses: gitleaks/gitleaks-action@v2
# Check dependencies for vulnerabilities
- name: Audit dependencies
run: npm audit --audit-level=moderate
# Static code analysis
- name: Run ESLint
run: npx eslint .
# Security testing
- name: Run security tests
run: npm run test:security
build:
needs: security-checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: 16
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build application
run: npm run build
# Build and scan container
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build Docker image
uses: docker/build-push-action@v4
with:
context: .
load: true
tags: myapp:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan image for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1'
deploy:
if: github.ref == 'refs/heads/main'
needs: build
runs-on: ubuntu-latest
# Only allows deployment if two team members approve
environment:
name: production
url: https://myapp.example.com
steps:
- uses: actions/checkout@v3
# Use OIDC to securely authenticate with cloud provider
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Push Docker image
uses: docker/build-push-action@v4
with:
context: .
push: true
tags: ${{ steps.login-ecr.outputs.registry }}/myapp:${{ github.sha }}
- name: Deploy to ECS
run: |
aws ecs update-service --cluster production --service myapp-service --force-new-deployment
# Post-deployment security validation
- name: Run post-deployment security scan
run: |
sleep 60 # Wait for deployment to complete
npx owasp-zap-scanner --target https://myapp.example.com
Example 2: Implementing a Security Policy as Code
Create a security policy file that enforces security standards across all pipelines:
yaml
# .github/security-policy.yml
version: 1
# Required security scans
required_scans:
- dependency_check
- sast
- container_scan
- secret_scan
# Branch protection rules
branch_protection:
main:
required_reviews: 2
required_status_checks:
- "security-checks"
- "build"
enforce_admins: true
# Deployment requirements
deployment_requirements:
production:
required_approvals: 2
required_scans:
- dast
ip_restrictions: true
Then create a validation script to enforce this policy:
javascript
// scripts/validate-security-policy.js
const fs = require('fs');
const yaml = require('js-yaml');
// Load the security policy
const policy = yaml.load(fs.readFileSync('.github/security-policy.yml', 'utf8'));
// Load the workflow file to validate
const workflow = yaml.load(fs.readFileSync(process.argv[2], 'utf8'));
// Check if all required scans are present
const requiredScans = policy.required_scans;
let scanFound = [];
// Simple validation logic (would be more robust in a real implementation)
for (const job in workflow.jobs) {
const steps = workflow.jobs[job].steps || [];
for (const step of steps) {
if (step.name && step.name.toLowerCase().includes('scan')) {
for (const scan of requiredScans) {
if (step.name.toLowerCase().includes(scan.replace('_', ''))) {
scanFound.push(scan);
}
}
}
}
}
// Check if all required scans are found
const missingScan = requiredScans.filter(scan => !scanFound.includes(scan));
if (missingScan.length > 0) {
console.error(`Error: Missing required security scans: ${missingScan.join(', ')}`);
process.exit(1);
}
console.log('All required security checks are present in the workflow file.');
CI/CD Security Best Practices
-
Adopt a "Security as Code" approach
- Integrate security into the pipeline rather than treating it as a separate step
-
Implement Role-Based Access Control
- Limit who can modify pipeline configurations
- Use separate service accounts for CI/CD with least privilege
-
Secure Your Pipeline Infrastructure
- Keep your CI/CD servers and agents updated
- Isolate build environments
-
Implement Branch Protection
- Require code reviews
- Enforce status checks before merging
-
Use Signed Commits
- Verify author identity
- Prevent code tampering
-
Regularly Audit Your Pipeline
- Review access logs
- Perform security reviews of pipeline configuration
-
Isolate Build Environments
- Use ephemeral build environments
- Implement network segmentation
Common CI/CD Security Tools
| Category | Tools |
|---|---|
| Secret Scanning | GitLeaks, TruffleHog, detect-secrets |
| SAST | SonarQube, Checkmarx, ESLint (with security plugins) |
| Dependency Scanning | OWASP Dependency Check, npm audit, Snyk |
| Container Scanning | Trivy, Clair, Anchore |
| IaC Scanning | Checkov, Terrascan, tfsec |
| DAST | OWASP ZAP, Burp Suite |
| Policy as Code | OPA (Open Policy Agent), Kyverno |
Summary
Securing your CI/CD pipeline is crucial to protecting your software delivery process from security vulnerabilities and attacks. By implementing proper secrets management, access controls, dependency scanning, and other security measures, you can ensure that your automated workflows contribute to your security posture rather than weakening it.
Remember that CI/CD security is not a one-time effort but an ongoing process. As your development practices and threats evolve, so should your security measures.
Additional Resources
- OWASP CI/CD Security Guide: Comprehensive security guidance for CI/CD pipelines.
- Supply Chain Levels for Software Artifacts (SLSA): A security framework for ensuring supply chain integrity.
- CIS Benchmarks: Security configuration guidelines for various CI/CD platforms.
Exercises
- Audit Your Pipeline: Review your current CI/CD pipeline configuration and identify potential security vulnerabilities.
- Implement Secret Scanning: Add a secret scanning tool to your pipeline and fix any hardcoded secrets.
- Create a Security Policy: Develop a security policy for your CI/CD pipelines that defines requirements for different environments.
- Build a Secure Pipeline: Implement a CI/CD pipeline with all the security controls discussed in this guide.
- Perform a Tabletop Exercise: Simulate a security breach in your CI/CD pipeline and practice your incident response.
If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)