Security in CI/CD

CI/CD pipelines have access to source code, secrets, production infrastructure, and deployment credentials — making them a high-value target for attackers. This lesson covers how to secure your pipeline, manage secrets, scan for vulnerabilities, and follow security best practices.

---

Why Pipeline Security Matters

A compromised CI/CD pipeline can:

• Inject malicious code into production deployments
• Exfiltrate secrets (API keys, database credentials, signing keys)
• Modify artefacts — supply chain attacks like SolarWinds
• Access production infrastructure through deployment credentials
• Compromise all downstream users if you publish libraries or packages

Notable Supply Chain Attacks

Incident	Year	Impact
SolarWinds	2020	Compromised build pipeline injected malware into updates
Codecov	2021	Modified bash uploader script exfiltrated CI secrets
ua-parser-js	2021	npm package hijacked to include cryptominer
xz Utils	2024	Backdoor inserted into a widely-used compression library

---

Secrets Management

What Are Secrets?

Secrets are sensitive values that pipelines need to function: