This article discusses the security vulnerabilities associated with GitHub Actions, highlighting issues like secrets management failures, insufficient permission management, and dependency pinning failures. It emphasizes the importance of understanding these risks to protect CI/CD workflows from potential attacks.

A typosquatted npm package named “@acitons/artifact” impersonated the legitimate “@actions/artifact” to exploit GitHub's CI/CD workflows. It stole tokens from build environments and published malicious artifacts, highlighting vulnerabilities in supply chain security.

Aikido Security has identified a vulnerability in GitHub Actions and GitLab CI/CD workflows that allows AI agents to execute malicious instructions, potentially leaking sensitive information. The flaw affects multiple companies and demonstrates how AI prompt injection can compromise software supply chains.

Cloudflare uses a "shift left" strategy to embed security checks early in the software development process, aiming to minimize human error and prevent misconfigurations. By managing their infrastructure as code, they ensure consistent security policies across hundreds of accounts while enabling rapid deployment. Key tools include Terraform and a custom CI/CD pipeline.

This article outlines how attackers can exploit self-hosted GitLab environments, particularly through instance runners. It details the steps to gain access, including hijacking runners and extracting sensitive information from repositories. The post also offers defensive measures to mitigate these risks.

The article discusses a significant incident in March 2025 involving vulnerabilities discovered in the Node.js CI/CD pipeline, which potentially exposed sensitive information. The response to the incident highlights the importance of security measures and the ongoing commitment to improving Node.js infrastructure and practices.

The guide provides insights into the OWASP Top 10 CI/CD security risks, emphasizing how automation and Infrastructure as Code (IaC) practices have expanded attack surfaces. It outlines the dangers of Dependency-Poisoned Pipeline Execution (D-PPE) attacks and stresses the importance of securing CI/CD pipelines against both direct and indirect threats.

Kingfisher is an open-source secret detection and validation tool developed by MongoDB that scans code repositories for hard-coded credentials and API keys while validating their activity in real-time. Designed for on-premises use, it enhances security by reducing false positives and ensuring that sensitive data remains within the user's infrastructure. Kingfisher integrates seamlessly with CI/CD pipelines and supports various programming languages, making it a versatile solution for developers and security teams.

GitLab has released critical security updates for its DevSecOps platform to address multiple vulnerabilities, including account takeover and injection of malicious jobs in CI/CD pipelines. Users are urged to upgrade to the latest versions immediately to protect against these security flaws, which have been exploited in recent attacks on major companies.

Spotter is a Kubernetes security scanner designed to identify misconfigurations, vulnerabilities, and compliance issues in Kubernetes clusters and manifests. It features extensibility through the Common Expression Language (CEL) for defining custom rules, supports multiple output formats for CI/CD integration, and provides a comprehensive set of scanning capabilities, including real-time cluster assessments and detailed reporting.

Platform teams evolve their deployment pipelines through three stages: establishing a deployment pipeline, integrating security measures, and developing a DevOps pipeline to enhance developer productivity. Each stage builds on the previous one by adding automation, security scanning, and improved documentation, ultimately streamlining the development process and reducing risks. Emphasizing an evolutionary approach allows organizations to adapt their pipelines to meet specific needs and compliance requirements.

The article focuses on best practices for implementing CI/CD security, emphasizing the importance of integrating security measures throughout the software development lifecycle. It provides a cheat sheet that outlines essential tips and strategies to enhance security in continuous integration and continuous deployment processes.

CI/CD servers are vulnerable to attacks that can compromise source code and sensitive data, making their security critical. The article outlines essential steps to enhance the security of CI/CD servers and highlights the risks associated with security breaches. By prioritizing security measures, organizations can protect themselves from potential data breaches and attacks.

CI/CD pipelines often contain sensitive information within their logs, making them a critical target for attackers. The article discusses how to implement automated scanning of GitLab CI logs using GitGuardian's tools to detect and manage exposed secrets, enhancing security across the DevOps lifecycle. This approach helps organizations catch runtime secrets and maintain compliance while integrating seamlessly into existing workflows.

Grafana Labs introduced Zizmor, an open source static analysis tool, in their CI/CD pipelines to detect and prevent vulnerabilities in GitHub Actions following a security incident. The tool helps identify unsafe configurations and practices, such as the use of `pull_request_target`, and is part of a broader effort to enhance security across their repositories. Despite facing challenges like GitHub's rate limiting, Grafana is committed to using Zizmor to bolster their defenses against future attacks.

GitLab 18 has been released, introducing significant enhancements aimed at improving the user experience and streamlining development workflows. Key features include improved performance metrics, enhanced security measures, and more integrated CI/CD tools designed to facilitate better collaboration among development teams.

The article discusses the security considerations necessary for using GitHub Actions in CI/CD setups, emphasizing the importance of protecting workflows against potential threats from contributors with write access. It details various attack scenarios, including script injection vulnerabilities, and provides best practices for securing sensitive workflows and managing permissions effectively.

Sysdig's Threat Research Team uncovered significant security vulnerabilities in GitHub Actions workflows across popular open source projects, including those by MITRE and Splunk. Their research revealed how insecure configurations, particularly using pull_request_target, can expose sensitive credentials and allow for exploitation, prompting the team to recommend best practices to enhance CI/CD security.

The article discusses the importance of secure and preferred methods for passing parameters to CI/CD pipelines in GitLab. It emphasizes best practices and strategies to enhance security while ensuring efficient parameter handling within the pipeline process.