Security in CI/CD

CI/CD pipelines have access to source code, secrets, production infrastructure, and deployment credentials — making them a high-value target for attackers. This lesson covers how to secure your pipeline, manage secrets, scan for vulnerabilities, and follow security best practices.

---

Why Pipeline Security Matters

A compromised CI/CD pipeline can:

• Inject malicious code into production deployments
• Exfiltrate secrets (API keys, database credentials, signing keys)
• Modify artefacts — supply chain attacks like SolarWinds
• Access production infrastructure through deployment credentials
• Compromise all downstream users if you publish libraries or packages

Notable Supply Chain Attacks

Incident	Year	Impact
SolarWinds	2020	Compromised build pipeline injected malware into updates
Codecov	2021	Modified bash uploader script exfiltrated CI secrets
ua-parser-js	2021	npm package hijacked to include cryptominer
xz Utils	2024	Backdoor inserted into a widely-used compression library

---

Secrets Management

What Are Secrets?

Secrets are sensitive values that pipelines need to function:

• API keys and tokens
• Database connection strings
• Cloud provider credentials (AWS keys, GCP service accounts)
• SSH keys and signing keys
• Container registry credentials
• Encryption keys

Where to Store Secrets

Location	Security Level	Use Case
CI platform secrets	Good	GitHub Actions secrets, GitLab CI variables
Vault (HashiCorp)	Excellent	Enterprise-grade secret management
AWS Secrets Manager	Excellent	AWS-native workloads
Azure Key Vault	Excellent	Azure workloads
GCP Secret Manager	Excellent	GCP workloads
SOPS / age	Good	Encrypted secrets in git (GitOps)

Secrets Anti-Patterns

Anti-Pattern	Risk	Correct Approach
Hardcoded in source code	Exposed in version history	Use environment variables
Stored in .env files committed to git	Visible to all contributors	Add .env to .gitignore, use CI secrets
Passed as command-line arguments	Visible in process listings	Use environment variables
Shared across all environments	Prod secrets exposed in dev	Use environment-scoped secrets
Never rotated	Increased window of compromise	Rotate regularly, use short-lived tokens

Using Secrets in GitHub Actions

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production   # Environment-scoped secrets + approvals
    steps:
      - uses: actions/checkout@v4

      - name: Deploy
        env:
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
          API_KEY: ${{ secrets.API_KEY }}
        run: ./deploy.sh

      # Secrets are automatically masked in logs
      # If a secret value appears in output, it shows ***

---

Static Application Security Testing (SAST)

SAST tools analyse source code for security vulnerabilities without running the application:

Tool	Language Support	Free Tier
CodeQL (GitHub)	JS, Python, Java, Go, C/C++, Ruby, C#	Free for public repos
Semgrep	30+ languages	Open-source
SonarQube	30+ languages	Community edition free
Snyk Code	Many languages	Free tier
Bandit	Python	Open-source
Brakeman	Ruby on Rails	Open-source

CodeQL in GitHub Actions

name: CodeQL Analysis

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'    # Weekly scan

jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript-typescript