The Pipeline Is an Attack Surface
SolarWinds and XZ Utils taught us that the software supply chain is a primary target. Your CI/CD pipeline has access to production secrets, can deploy to production, and runs arbitrary code from your repositories.
Principle of Least Privilege for Pipeline Tokens
permissions:
contents: read
packages: write
id-token: write
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
Pin Third-Party Actions by Commit SHA
# BAD — tag can be moved
- uses: actions/checkout@v4
# GOOD — commit SHA is immutable
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
OIDC Instead of Long-Lived Secrets
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
aws-region: us-east-1
Secret Scanning in Pipeline
trufflehog git file://. --since-commit HEAD~1 --fail
SBOM and Attestation
syft myapp:${TAG} -o spdx-json > sbom.json
cosign sign --key cosign.key myapp:${TAG}
Defensive Takeaways
- Every secret in your pipeline should be rotated after a developer leaves
- Pin action versions by SHA in all workflow files
- Require PR reviews for workflow file changes via branch protection rules
- Log and alert on any pipeline that deploys to production outside business hours
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.