Resources

This page gathers reference materials, tools, and technical resources related to CI/CD security and software supply chain protection.

Resources listed here are selected for their relevance, technical depth, and practical usefulness.

Standards and frameworks

  • SLSA (Supply-chain Levels for Software Artifacts)
    Framework for improving build integrity and provenance across software supply chains.
  • in-toto
    Framework for securing the integrity of software supply chains through metadata and attestations.
  • SSDF (NIST Secure Software Development Framework)
    Guidelines for integrating security throughout the software development lifecycle.
  • OWASP Top 10 CI/CD Risks
    Threat model focused on CI/CD pipeline security risks.

CI/CD security tools

  • Sigstore (Cosign, Rekor, Fulcio)
    Tooling for signing, verifying, and recording software artifacts and attestations.
  • Trivy
    Vulnerability, configuration, and SBOM scanner for containers and pipelines.
  • Syft
    SBOM generation tool for containers and source artifacts.
  • Grype
    Vulnerability scanner based on SBOM analysis.
  • Checkov
    Static analysis tool for infrastructure as code and pipeline configurations.

Policy and control enforcement

  • Open Policy Agent (OPA)
    General-purpose policy engine for enforcing security controls in pipelines.
  • Kyverno
    Policy engine designed for Kubernetes-native environments.
  • Conftest
    Tool for writing and testing policies against structured configuration data.

CI/CD platforms and ecosystems

  • GitHub Actions
    CI/CD platform with a strong ecosystem and growing security features.
  • GitLab CI/CD
    Integrated DevSecOps platform with built-in security controls.
  • Tekton
    Kubernetes-native CI/CD framework for building custom pipelines.

Threat modeling and attacks

  • CI/CD threat models
    Analysis of attack paths targeting build systems, pipelines, and runners.
  • Software supply chain attacks
    Real-world incidents and techniques used to compromise delivery pipelines.
  • Pipeline trust boundaries
    Understanding trust assumptions across pipeline stages.

External references

  • OWASP Foundation
    Open security resources and threat models.
  • CNCF Supply Chain Security
    Cloud-native initiatives and best practices around supply chain security.
  • NIST
    Security standards and guidance related to software development and supply chains.

Related ecosystem

For compliance, governance, and regulatory aspects of DevSecOps and CI/CD, see regulated-devsecops.com.

The two sites are designed to complement each other: