8 Steps for Securing Your CI/CD Pipeline

Since September 2023, GitLab disclosed and addressed at least eight CI/CD pipeline-related vulnerabilities. A year later, a researcher discovered and published a series of new critical exploits. Here’s how to secure your CI/CD pipeline to stay a step ahead of attackers
Data from the 2024 State of Continuous Integration/Continuous Delivery (CI/CD) report shows that developers who use self-hosted and managed CI/CD platforms are 23% more likely to restore service after an incident faster than those not using CI/CD. They’re also better at code changes and deployment frequency.
This framework empowers DevOps teams and organizations to harness the power of automation to streamline the software delivery process and deploy reliable software and updates quickly.
But there’s a catch: Speed and automation are a double-edged sword. If not used properly, the CI/CD pipeline can introduce vulnerabilities and expose organizations to dangerous security threats you won’t notice until it’s too late.
Knowing this, we’ve set out eight actionable solutions you can implement right now to bake security into your CI/CD pipeline as never before.
Secure Your CI/CD Pipeline in 8 Steps
The CI/CD pipeline is the foundation of many software publishers’ development processes. The CI pipeline enables teams to frequently update code, while the CD pipeline lets them deploy the changes automatically to production once they’ve successfully passed testing.
Do you remember the SolarWinds attack? In 2020, cybercriminals took advantage of a vulnerability in the company’s CI/CD security processes to deploy malicious code that infected thousands of companies downstream worldwide. The rest is history.
Three years later, CircleCI forced all users to rotate their secrets due to another CI/CD-related breach on their systems. Furthermore, the attackers also managed to exfiltrate sensitive encrypted data, along with cryptographic keys that may have potentially given them access to the decrypted data.
CI/CD security breaches can have devastating effects. Prevent them by implementing these eight CI/CD security best practices. For content skimmers we’ve summarized them in the table below. However, if you’re looking for practical examples and valuable insights, we suggest you keep reading the rest of the article.
8 CI/CD Security Steps | Corresponding CI/CD Security Actions |
1. Implement a Strict Deployment Approval Process | Require manual approval for all deployments into production. |
2. Use Secure Communication Channels | – Use only HTTPS connections. – Apply end-to-end encryption. |
3. Beef Up Access Control & Secrets Management | – Implement the principle of least privilege. – Never hardcode credentials. – Enforce multifactor authentication (MFA). – Use a hardware security module (HSM). – Log and monitor CI/CD pipeline activities. |
4. Enforce Code Authentication and Integrity Checks | – Demand continuous code signing. – Mandate integrity checks at every step of your CI/CD pipeline. – Implement binary authorization. |
5. Secure Your Containers & Registries | – Sign your container images. – Use artifact scanning tools. – Download images only from trusted artifact repositories. |
6. Put Up Security Gates | – Start with vulnerabilities and dependencies scans. – Test your code often. Assess the security of your dependencies. – Identify and disable unnecessary features and services. |
7. Segment your CI/CD Pipeline | – Keep each CI/CD pipeline environment isolated. – Keep third-party tools separated from the CI/CD pipeline. – Restrict data flow between third-party tools and your CI/CD pipeline. |
8. Adopt a Continuous Threat Modeling Approach | – Create a software bill of materials (SBOM). – Identify potential CI/CD pipeline exploits. – Create mitigation strategies. |
1. Implement a Strict Deployment Approval Process
We get it. Sometimes, allowing anyone in your team to deploy a build from staging to production without approval can be handy. It lets you release an urgent patch or meet an upcoming deadline, even during the holiday season.
But is the convenience factor worth the risks? Imagine if an over-zealous newbie published an incomplete or buggy new feature for one of your key applications. (Think of the recent CrowdStrike update debacle that brought global organizations to their knees.) Maybe on a Friday afternoon or, even worse, just before the Thanksgiving holidays. It could cause a disruptive outage, and you could have to say goodbye to your turkey to go apologize to lawmakers and members of the public.
This “Insufficient flow control mechanism” can be so devastating that it has gained first place ranking on the OWASP Top 10 CI/CD security risks list. Save your weekends, celebrations, and organization’s reputation by introducing a CI/CD pipeline workflow that forces any deployment into production to be manually approved only by authorized persons. It’s a common GitHub feature.
2. Use Secure Communication Channels (i.e., HTTPS)
Your CI/CD pipeline often uses the hypertext transfer protocol (HTTP) for several actions (e.g., to communicate with deployment and build servers). However, HTTP isn’t a secure protocol and doesn’t protect your data from tampering and snooping.
An attacker could intercept the code you’re pushing to deployment and inject it with malicious code. Once the code is released, the users will install it, assuming it’s a safe and genuine update from you. Does that sound familiar? Yup, this is what happened with the SolarWinds attack.
Keep your connection secure. Protect your data transfer and users using only hypertext transfer protocol secure (HTTPS) connections. The end-to-end encryption offered by HTTPS certificates (i.e., SSL/TLS certificates) will minimize the risk of man-in-the-middle (MITM) attacks targeting your CI/CD pipeline.
3. Beef Up Access Controls & Secrets Management
8 million out of 1.1 billion commits scanned by GitGuardian in 2023 leaked at least one secret. In October 2024, an attacker, IntelBroker, claimed on a forum that they had a plethora of CISCO customers’ data, source codes, and hard-coded credentials. Needless to say, all hell broke loose. At the time of writing this article, CISCO is still investigating the breach:

The bad guys can breach CI/CD pipelines through credentials in multiple ways. Phishing, social engineering attacks, you name it. And once they’re in, they can wreak havoc.
Don’t despair — there are several solutions that can help you keep your organization off the list of data leaky organizations:
- Implement the principle of least privilege. Give developers and team members only access to what they need to do their job. This way, if one of their credentials is compromised, the threat actor will only get access to what the victim is authorized to access.
- Avoid hardcoded credentials. Never save your username and password in source codes, containerized apps, or CI/CD configuration files. Sure, hardcoding these secrets can be handy. However, it’s also an awfully dangerous practice that leaves you exposed if you forget to remove them later.
- Enforce multifactor authentication (MFA). Request all CI/CD pipeline users utilize MFA. Sounds annoying? Nevertheless, it’ll greatly reduce the risk of breaches and unauthorized modifications. It even has its spot of honor in CISA’s Secure Our World campaign.
- Use a hardware security module (HSM). Secure HSMs aren’t only great for storing your code signing certificate private keys (more on this in a moment). HSMs like Azure KeyVault let you save all secrets related to CI/CD action executions and more in one place. This gives authorized users the ability to use said secrets without having direct access to them.
- Log and monitor CI/CD pipeline activities. Log every action in a structured format (e.g., JSON) to increase visibility and accountability and create automated alerts. Track what changes are made, when, and by whom. In case something bad happens, all you’ll have to do is to check the logs.
Looking for more tips? Check out the OWASP CI/CD secrets management cheat sheet.
4. Enforce Code Authentication and Integrity Checks
A recent CrowdStrike application security report shows that only 54% of major code changes go through a security review. Yup, this means that more than half of code updates may be released without ensuring that they’re flaw-free and haven’t been tampered with. Don’t risk it.
- Enforce continuous code signing. Opt for a trusted code signing certificate issued by a renowned certificate authority (CA) such as DigiCert or Sectigo. Use it to sign your code at every step of the CI/CD pipeline.
- Mandate integrity checks at every step of your CI/CD pipeline. This approach will help guarantee that only trusted, legitimate, and unmodified code is deployed in production.
- Implement binary authorization. It’ll amplify the CI/CD security by indicating which binaries can be deployed. Create policies based on security parameters that verify the binary’s origin, approval status, and compliance with security rules.
Furthermore, since June 2023, code signing certificates have become more secure. Based on the updated industry Code Signing Certificate Baseline Requirements, all private keys are now issued only on cryptographically secure hardware (e.g., USB tokens or HSMs). Another good reason why integrating code signing into your CI/CD pipeline is the way to go.

5. Secure Your Containers and Registries
Software containers are wonderful. They streamline workflows and accelerate deployment. Used in a shared CI/CD pipeline environment where multiple builds run simultaneously, they help you prevent cross-contamination so that only the build you want to update is modified.
However, container images can also open the door to security risks. For instance, in 2021, attackers accessed a privileged container through a vulnerability in Teleport’s CI pipeline. They used this access to release malicious artifacts, seal secrets, and access the company’s systems.
Think back to the code signing we mentioned a little earlier. You can use this process to sign your container images, too. Once signed, use artifact scanning tools such as JFrog to identify security and compliance issues. Do you download images from the cloud? That’s fine, as long as you use trusted artifact repositories that offer pre-vetted container images like Azure Container Registry. There you have it. Now your CI/CD pipeline containers and Docker registries are more secure against tampering.

6. Put Up Security Gates
CI/CD pipelines thrive on automation, but like everything else, automation ain’t perfect. Attackers can find ways to exploit automation, just like they do with the tiniest vulnerabilities in any other software or process. In July 2024, a ransomware attack based on a CI/CD security vulnerability in Jenkins caused massive payment issues among Indian banking institutions.
With the number of ransomware victims increasing by a stunning 77% in 2023, and small businesses being hit 4.2 times more than medium and large companies, securing your CI/CD pipeline has never been so critical.
- Start with vulnerabilities and dependencies scans. Integrate your CI/CD pipeline with source composition analysis (SCA) tools like GitLab. It’ll ascertain your open-source components and dependencies are risk-free.
- Test your code often. Use static application security testing (SAST) and dynamic application security testing (DAST) tools. It’ll help you identify issues earlier (e.g., SQL injection, broken access control, insecure design), and save you time and resources. Make using these tools part of your software testing strategy.
- Assess the security of your dependencies. Security testing tools like Snyk will automatically scan your dependencies and third-party tools for issues, helping you reduce risks.
- Identify and disable unnecessary features and services. This will prevent you from publishing applications with default configurations or open ports reducing the attack surface.
7. Segment your CI/CD Pipeline
Isolation is key. In March 2024, more than 170,000 users working with the Python “Colorama” package were infected with malware that harvested sensitive information and credentials (e.g., GitHub accounts, social media data, and credit card data).
Imagine if an attacker broke into your CI/CD development section and quietly injected malware into your code. If you’re lucky, one of your scanning tools would spot it before deployment… but what if it doesn’t? After all, even the best tools aren’t perfect and can miss things.
To prevent this scenario, you should:
- Segment and isolate. Keep each CI/CD pipeline environment isolated (i.e., development, testing, and production).
- Separate third-party tools from the CI/CD pipeline. Run them in a sandbox or in a virtual machine. Using separate networks and servers is also a good approach.
- Restrict data flow between third-party tools and your CI/CD pipeline. Enforce specific firewall rules and network policies to cut back their ability to communicate with other environments.
All these measures will ensure that if the worst happens and your CI/CD pipeline is compromised, the impact will be confined to one area.
8. Adopt a Continuous Threat Modeling Approach
CompTIA’s 2025 State of Cybersecurity shows that 59% of the organizations that were victims of cybersecurity incidents in the past year have been moderately or severely impacted from both finance and productivity points of view. Run threat modeling exercises to detect, analyze, and mitigate potential security issues that may affect your CI/CD pipeline. Reiterating the steps below at all CI/CD pipeline stages will help you stay ahead of the bad guys.
Get Familiar with Your CI/CD Pipeline Architecture
Map out the CI/CD workflow, document best practices, and list the tools and technologies that are included at each step.
Identify Potential CI/CD Pipeline Exploits
Identify the top threats (e.g., unauthorized access, code tampering, etc.) and verify which actors (e.g., vendors, hackers, or employees) could cause the worst impact. Add a step to the pipeline to generate a software bill of materials (SBOM). This approach, which can be done using automated tools, will help you track dependencies and vulnerabilities.
An SBOM is a fundamental point of the White House National Cybersecurity Strategy Implementation Plan published in July 2023. No wonder that by the end of 2023, the number of published SBOMs reached a stunning 72,065.
Create Mitigation Strategies
In other words, gear up your defenses. Implement additional security controls (e.g., open source vulnerability checks, mandate automated inspection before pull requests, merges, and code reviews), improve your CI/CD pipeline’s architecture, train your employees, or adopt new security practices like the ones we’ve mentioned in this article.
Need help in preparing your first threat modeling? Get inspired by OWASP Threat Modeling Cheat Sheet. Does your team find the process boring? Learn how to make it fun with Vlad Styrian and Threat Dragon using Threat Modeling Gamification:
Why Is CI/CD Security Important for Every Organization?
So, now that you know what you should do, let’s answer the most pressing question many of you might have: Why should you invest precious time and resources into incorporating these CI/CD security best practices?
Here are four jolly good reasons. CI/CD best practices will:
- Protect your code (and systems) from attack. Safeguarding your CI/CD pipeline will help you shield your code, organization, systems, and customers from potentially devastating attacks.
- Prevent costly data breaches. In 2024, the global average cost of a data breach calculated by IBM reached new highs: $4.88 million. 10% more than last year. Would you really dare to put your organization at risk?
- Help you comply with policies and regulations. A secure CI/CD pipeline will help you comply with security and privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).
- Guarantee quality assurance. Who doesn’t want high-quality and secure code? These CI/CD security best practices will help you achieve precisely that.
Final Thoughts About These 8 Security Steps for Your CI/CD Pipeline
Adding multiple layers of security to each stage of your CI/CD pipeline will protect your organization, systems, and software against evolving threats. Encryption, code signing, vulnerability analysis, and threat modeling are just a few of the CI/CD security best practices we’ve mentioned that can help you reduce the risk of attacks.
Embrace these gold standards now and share them with your employees and other network users through security awareness training. You’ll:
- Harden your software supply chain security,
- Ensure that your organization releases high-quality software that’s provably secure, and
- Foster trust in your brand and products.
Not bad for eight quick steps, huh?