CI-CD Pentesting
CI CD Pentesting
A continuous penetration testing solution consists of several key components. Vulnerability Scanner that automatically scans your code for vulnerabilities. Continuous monitoring system for tracking new assets and environmental changes. Integration with CI/CD tooling to start a new scan whenever there is a code update
Core Concepts
CI/CD pentesting assesses the pipelines and tooling that build, test, and ship software. The goal is to protect the path from source code to production, since a single compromised step can poison every downstream artifact and reach production with trusted credentials.
Methodology / Phases:
- Map the pipeline: source repos, CI/CD platform, runners, build steps, artifact stores, and deploy targets.
- Review pipeline definitions: workflow/YAML files, triggers, and where untrusted input (PRs, forks) can run code.
- Hunt for secrets: tokens and keys in repo history, variables, logs, and build environments.
- Test trust and permissions: runner privileges, token scope, branch protections, and who can alter the pipeline.
- Trace the supply chain: dependencies, base images, and artifact integrity from build to deploy.
Key Concepts / What to look for:
- Secret leakage: credentials exposed in code, variables, or build logs.
- Poisoned pipeline execution: attacker-controlled input that runs in the pipeline (e.g. malicious PR workflows).
- Over-privileged runners and tokens: build jobs with more access than they need.
- Supply chain weaknesses: unpinned dependencies, mutable image tags, and unsigned artifacts.
- Weak access control: unprotected branches, missing reviews, and tamperable pipeline configuration.
Overview
A CI/CD pipeline is an automation system used for continuous integration and continuous delivery of software.
CI/CD security testing focuses on identifying vulnerabilities that can impact:
- Code integrity
- Build and deployment security
- Secret management
- Supply chain security
The objective is to ensure secure software delivery across all stages of the pipeline.
CI/CD Security Architecture
| Layer | Description |
|---|---|
| Source Code Repository | Stores application source code and version history |
| CI/CD Pipeline | Automates build, test, and deployment processes |
| Build System | Executes compilation and build operations |
| Artifact Storage | Stores build outputs such as binaries and container images |
| Secrets Management | Secure storage of credentials, tokens, and keys |
| Deployment Environment | Infrastructure where applications are deployed |
| Monitoring System | Logs, alerts, and runtime security monitoring |
CI/CD Pentesting Checklist
Information Gathering
| Item | Description | Tools |
|---|---|---|
| Scope Definition | Define objectives and boundaries of assessment | Manual review |
| Documentation Review | Analyze pipeline architecture and workflows | Wiki, README, Confluence |
| Access Review | Identify users, roles, and permissions | IAM consoles, GitHub settings |
Source Code Repository Security
| Item | Description | Tools |
|---|---|---|
| Secret Detection | Identify credentials, API keys, and tokens in code | GitLeaks, TruffleHog |
| Repository Review | Analyze source code for insecure patterns | GitHub, GitLab |
| Commit History Review | Detect previously exposed sensitive data | git log, git history |
Build System Security
| Item | Description | Tools |
|---|---|---|
| Build Process Review | Analyze build execution flow for security issues | Jenkins, GitHub Actions |
| Script Security | Identify unsafe commands and injection risks | Shell scripts, Dockerfiles |
| Artifact Integrity | Ensure build outputs are not modified or exposed | Docker Registry, AWS S3 |
Pipeline Configuration Security
| Item | Description | Tools |
|---|---|---|
| Pipeline Review | Inspect CI/CD configuration files for weaknesses | GitHub Actions, GitLab CI |
| Misconfiguration Detection | Identify insecure pipeline settings | Manual analysis |
| Secret Exposure | Detect hardcoded credentials in pipelines | TruffleHog, GitLeaks |
Supply Chain and Dependencies
| Item | Description | Tools |
|---|---|---|
| Dependency Scanning | Identify vulnerable or outdated dependencies | OWASP Dependency-Check |
| Supply Chain Risk | Detect malicious or compromised packages | Snyk, npm audit, pip-audit |
| Dependency Management | Ensure regular updates and patching | Package managers |
Authentication and Authorization
| Item | Description | Tools |
|---|---|---|
| Access Control Review | Validate role-based access control policies | IAM systems, GitHub Roles |
| Token Security | Ensure CI/CD tokens are secure and not exposed | Vault, Secrets Manager |
| Privilege Management | Enforce least privilege access principles | IAM platforms |
Secrets Management
| Item | Description | Tools |
|---|---|---|
| Secret Storage | Store secrets in secure vault systems | HashiCorp Vault, AWS Secrets Manager |
| Secret Exposure Detection | Identify secrets in code, logs, or configs | GitLeaks, TruffleHog |
| Secure Handling | Ensure encryption and controlled access | Vault, KMS |
Testing Environment Security
| Item | Description | Tools |
|---|---|---|
| Environment Isolation | Ensure separation between dev, test, and production | Kubernetes, cloud platforms |
| Debug Exposure | Detect exposed debug endpoints or services | Burp Suite |
| Access Control | Restrict access to non-production environments | IAM policies |
Vulnerability Assessment
| Item | Description | Tools |
|---|---|---|
| Automated Scanning | Detect known vulnerabilities in systems | OWASP ZAP, Nessus |
| Manual Testing | Identify logic and business vulnerabilities | Burp Suite |
| API Security Testing | Test backend APIs for security flaws | Postman, Burp Suite |
Integration and Deployment Security
| Item | Description | Tools |
|---|---|---|
| Third-Party Integration Review | Assess external service security | Webhook testing tools |
| Data Transfer Security | Ensure secure communication between services | Wireshark, Burp Suite |
| Deployment Control | Prevent unauthorized deployments to production | Jenkins, ArgoCD, GitHub Actions |
Common CI/CD Security Risks
Risk Overview
| Risk | Description | Tools |
|---|---|---|
| Secret Leakage | Exposure of credentials in code, logs, or configs | GitLeaks, TruffleHog |
| Pipeline Misconfiguration | Insecure CI/CD workflow design | Manual review |
| Supply Chain Attack | Introduction of malicious dependencies | Snyk, Dependency-Check |
| Artifact Exposure | Publicly accessible build outputs | Cloud storage review |
| Pipeline Injection | Execution of malicious build commands | Pipeline audits |
| Weak Access Control | Excessive CI/CD permissions | IAM tools |
| Token Leakage | Exposure of authentication tokens | Vault, Secrets Manager |
Key Focus Areas
Security Focus Summary
| Area | Focus |
|---|---|
| Source Code | Secret detection and secure coding practices |
| CI/CD Pipeline | Secure configuration and workflow design |
| Build System | Integrity and injection prevention |
| Deployment | Access control and release security |
| Cloud Infrastructure | Permission management and exposure control |