Engineering Security for CI/CD & Software Supply Chains
Secure Pipelines is a technical knowledge hub dedicated to securing CI/CD, GitOps, and software delivery pipelines. Practical security engineering, real-world implementations, and hands-on labs — from code to production.
Built by practitioners, for practitioners.
Start here
New to CI/CD security? Start with these comprehensive guides:
- The Complete Guide to CI/CD Pipeline Security — Everything you need to know about securing pipelines, from trust boundaries to deployment controls.
- Software Supply Chain Security: Comprehensive Guide — Dependencies, build integrity, artifact signing, provenance, and SBOMs.
- CI/CD Threats and Attacks: What Attackers Target — Real-world attack techniques and how to defend against them.
Platform guides
| Platform | Definitive Guide | Cheat Sheet | Hands-On Lab |
|---|---|---|---|
| GitHub Actions | Security Guide | Cheat Sheet | Hardening Lab |
| GitLab CI | Security Guide | Cheat Sheet | Securing Lab |
| Tekton | — | Tekton Chains Lab | |
Featured guides
- Signing and Verifying Container Images with Sigstore and Cosign
- Secrets Management in CI/CD Pipelines: Patterns, Anti-Patterns, and Vault Integration
- Artifact Provenance and Attestations: From SLSA to in-toto
- Short-Lived Credentials and Workload Identity Federation
- Policy as Code for CI/CD: Enforcing Security Gates with OPA and Rego
- Dependency Confusion and Artifact Poisoning: Attack Techniques and Defenses
- Defensive Patterns and Mitigations for CI/CD Pipeline Attacks
- CI/CD Execution Models and Trust Assumptions
- Separation of Duties and Least Privilege in CI/CD Pipelines
- Build Integrity and Reproducible Builds
Hands-on labs
Step-by-step exercises with real CI/CD configurations, YAML examples, and failure scenarios.
Attack & defense
- Poisoned Pipeline Execution (PPE) — Exploit and defend
- Dependency Confusion Attack Simulation
- Detecting Malicious GitHub Actions
- Artifact Tampering and Detection
- Secret Leak Detection and Prevention
Supply chain & signing
- Signing Container Images with Cosign in GitHub Actions
- Generating and Verifying SLSA Provenance
- SBOM Pipeline with Syft and Cosign
- Reproducible Container Builds
Platform hardening
- Hardening GitHub Actions Workflows
- Securing GitLab CI Pipelines
- OIDC Workload Identity for GitHub Actions with AWS
- Ephemeral Runners with Actions Runner Controller
- Kubernetes Policies with OPA Conftest
- Secure Build Pipeline with Tekton Chains
Tool comparisons
Choosing the right tools? These in-depth comparisons help you decide.
- Security Scanners: Trivy vs Grype vs Snyk vs Checkov
- Signing Tools: Cosign vs Notation vs GPG
- SBOM Tools: Syft vs Trivy vs CycloneDX CLI
- Policy Engines: OPA vs Kyverno vs Sentinel vs Cedar
Quick references
- OWASP Top 10 CI/CD Risks — Explained with Real-World Examples
- SLSA Levels — A Practical Compliance Checklist
- GitHub Actions Security Cheat Sheet
- GitLab CI Security Cheat Sheet
→ Browse all resources and tools
Explore by topic
| Topic | What it covers | Start here |
|---|---|---|
| CI/CD Security | Trust boundaries, permissions, secrets, deployment controls | Complete Guide |
| Supply Chain | Dependencies, builds, signing, provenance, SBOMs | Comprehensive Guide |
| GitHub Actions | Workflows, permissions, runners, OIDC, third-party actions | Definitive Guide |
| GitLab CI | Variables, runners, environments, tokens, deployments | Definitive Guide |
| Threats & Attacks | PPE, dependency confusion, credential theft, artifact tampering | Threats Guide |
| Pipeline Hardening | Runner isolation, network restrictions, least privilege | Hardening Guide |
Who is this site for
Secure Pipelines is designed for engineering teams operating real-world pipelines:
- DevOps engineers — hardening the pipelines you build and maintain
- Platform engineers — designing secure CI/CD infrastructure at scale
- Security engineers — assessing and improving pipeline security posture
- DevSecOps practitioners — integrating security into delivery workflows
- Technical architects — designing trust models and control architectures
No vendor hype. No shallow checklists. Just practical, engineering-focused security.
The ecosystem
Secure Pipelines is part of a two-site ecosystem:
- Secure Pipelines — Technical implementation: how to build, harden, and defend CI/CD pipelines.
- Regulated DevSecOps — Governance and compliance: how to govern, audit, and certify those controls (ISO 27001, NIS2, SOC 2).
Together, they provide both the engineering and governance perspectives required to secure modern software delivery.
CI/CD security must be engineered, not bolted on.
