CI/CD Security
IAM
Concepts
- Create an AWS account for each CI/CD environment
- [For Critical Business Services] Create an AWS account and role for each service within that business critical environment.
Resources
- How to secure CI/CD roles without burning production to theΒ ground | theburningmonk.com
- CI CD Security - OWASP Cheat Sheet Series
- Security - Hardening Your GitLab Instance | GitLab
Offensive CI/CD
- GitHub - cider-security-research/cicd-goat: A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
- CICD-Goat Setup and Easy Challenge walkthrough (WhiteRabbit, MadHatter, Duchess) - Offensive Research (philkeeble.com)
- LOTP - Living Off the Pipeline (boostsecurityio.github.io)
- Git-Rotate: Leveraging GitHub Actions to Bypass Microsoft Entra Smart lockout Β· Aura Research Division (aurainfosec.io)
- Poisoned Pipeline Execution Attacks: A Look at CI-CD⦠| Bishop Fox
- Playing with Fire β How We Executed a Critical Supply Chain Attack on PyTorch β John Stawinski IV