CI/CD security

Through the 2010s, application security focused on the running app: input validation, auth, crypto, SQL injection. CI/CD pipelines were dev infrastructure — out of scope for security teams.

Then a few things changed. (1) Pipelines started touching production directly — Continuous Deployment makes the pipeline the production-pushing surface. (2) Supply-chain attacks (SolarWinds, ua-parser-js, event-stream, codecov, several others) showed pipelines as a primary attacker target. (3) GitHub Actions usage exploded — millions of public workflows, many copy-pasted insecure patterns.

By 2022 'CI/CD security' had its own terminology, separate from AppSec, separate from infra security. Today it's its own discipline with dedicated tooling.

Workflow YAML — the most-attacked surface. Misconfigured triggers (pull_request_target + checkout fork code), missing permissions, unpinned action versions, untrusted input in run blocks, self-hosted runner abuse on public repos.

Dockerfile — base image trust (`:latest` tag), apt-get install bloat, ADD instead of COPY, curl-pipe-sh installation, running as root.

IaC configs (Terraform, K8s manifests, CloudFormation) — public S3 buckets, security groups open to 0.0.0.0/0 on sensitive ports, K8s pods without resource limits, hardcoded credentials in environment blocks.

Dependency management — lockfile drift, unpinned packages, dependency confusion (registries that auto-promote internal package names).

Secrets handling — env vars echoed to logs, base64-encoded secrets bypassing GitHub's masking, secrets in commit history.

AppSec tools scan source code at build time. CI/CD security tools have to scan the build infrastructure itself — workflow YAML, Dockerfiles, IaC — which sit alongside source but aren't compiled into the running app.

Many AppSec tools added 'CI/CD scanning' as a feature but their core engines (CodeQL, Semgrep, etc.) were designed for application code. The patterns that matter in CI/CD are different — they're about configuration, trust boundaries, and pipeline structure, not application logic.

Specialist CI/CD security tools emerged (Cycode, Legit, Apiiro, Spectral, and LGTM Security) precisely because the patterns to detect are different enough that retrofitting AppSec tools didn't work well.

CI/CD security tooling generally enforces at three points:

(1) Inline PR review. When a PR modifies workflow / Docker / IaC files, scan the diff and comment on findings. Same UX as code review.

(2) Merge-block Check Run. GitHub branch protection respects checks; a failing security check refuses the merge until resolved.

(3) Runtime watchdog. A GitHub Action installed on default branch that runs on every push (including direct commits and force pushes that bypass PR review), scans for the same patterns, and either alerts or auto-creates a revert PR.

All three together provide defense in depth. Single-gate tools miss attacks that arrive via non-PR paths (admin push, force push from collaborator with elevated permissions).

OWASP CI/CD Top 10 — the closest thing to a canonical risk list. Covers CICD-SEC-01 (Insufficient Flow Control) through CICD-SEC-10 (Insufficient Logging & Visibility). LGTM Security maps several detectors to specific OWASP items.

NIST Secure Software Development Framework (SSDF) — broader framework covering pipeline security as part of secure dev. PS.1.1 (secret detection) and PO.5.1 (audit log retention) are the relevant items.

OSSF Scorecard — open-source project security scorecard. Includes Pinned-Dependencies, Token-Permissions, and Dangerous-Workflow checks that overlap with LGTM Security's detector set.

For India-specific compliance, DPDP Act 2023's reasonable-security-practices (§24) is the relevant statute. CI/CD security with an audit log helps demonstrate compliance.