Cloud & Container Security · intermediate · ~11 min

CI/CD and software supply-chain security

Explain CI/CD and dependency/supply-chain risks and the defenses (SBOM, pinning).

Overview

CI/CD pipelines run with powerful credentials, so secrets-in-pipelines, over-privileged tokens, poisoned workflow execution, and unpinned actions/images are risks. The software supply chain adds vulnerable/malicious dependencies and compromised builds. Defenses: pin+verify, least-privilege tokens, dependency scanning, SBOM, artifact signing.

Why it matters

CI/CD holds the keys to production and the supply chain can inject code into everything you ship — both are high-leverage targets (SolarWinds-class impact). Pinning, least-privilege tokens, SCA, and SBOMs are the practical, increasingly-expected defenses.

Core concepts

CI/CD risks. Pipeline secrets, over-privileged tokens, poisoned execution, unpinned actions. Supply chain. Vulnerable deps (SCA), malicious packages (typosquat/hijack), compromised builds. Defenses. Pin+verify by digest, least-privilege tokens, isolate fork workflows, dependency scanning, SBOM, signing.

Lesson

Modern software is built and shipped by automated pipelines pulling in huge amounts of third-party code — a large, often-overlooked attack surface.

CI/CD pipeline risks

Pipelines (GitHub Actions, GitLab CI, Jenkins) run code with powerful credentials (deploy keys, cloud roles, registry access). Risks:

  • Secrets in pipelines/logs, or readable by pull-request workflows from forks.
  • Over-privileged pipeline tokens (e.g. a GITHUB_TOKEN with write/admin scope).
  • Poisoned pipeline execution: an attacker who can edit a workflow or a built script runs code in the trusted CI context.
  • Unpinned actions/images: uses: someaction@main runs whatever that tag points to later.

Software supply chain

Your app depends on hundreds of transitive dependencies. Risks:

  • Vulnerable dependencies (known CVEs) — found by dependency scanning (SCA).
  • Malicious packages (typosquatting, hijacked maintainer accounts) — code execution at install/build.
  • Compromised build systems (the SolarWinds class) injecting backdoors during build.

Defenses

  • Pin dependencies and CI actions by version/digest; verify checksums/signatures.
  • Least-privilege pipeline tokens; isolate untrusted (fork) workflows; never expose secrets to them.
  • Dependency scanning + a maintained SBOM (Software Bill of Materials) — an inventory of every component, so when a new CVE drops you know if you're affected.
  • Sign artifacts (provenance), and review lockfiles.

Summary

CI/CD and dependencies are a major modern attack surface: pipelines wield production credentials and apps pull in vast third-party code. Defend with pinned/verified components, least-privilege pipeline tokens, dependency scanning, SBOMs, and artifact signing.