\u0625\u0646 \u0641\u0647\u0645 \u0643\u064a\u0641\u064a\u0629 \u0645\u0647\u0627\u062c\u0645\u0629 CI\/CD pipelines \u0644\u064a\u0633 \u0633\u0648\u0649 \u0646\u0635\u0641 \u0627\u0644\u0635\u0648\u0631\u0629. \u064a\u0645\u0646\u062d\u0646\u0627 \u0646\u0645\u0630\u062c\u0629 \u0627\u0644\u062a\u0647\u062f\u064a\u062f\u0627\u062a \u0648\u062a\u0635\u0646\u064a\u0641 \u0627\u0644\u0647\u062c\u0645\u0627\u062a \u062e\u0631\u064a\u0637\u0629 \u0644\u0633\u0627\u062d\u0629 \u0627\u0644\u0645\u0639\u0631\u0643\u0629\u060c \u0644\u0643\u0646 \u0628\u062f\u0648\u0646 \u0623\u0646\u0645\u0627\u0637 \u062f\u0641\u0627\u0639\u064a\u0629 \u0645\u0644\u0645\u0648\u0633\u0629 \u0648\u062a\u062f\u0627\u0628\u064a\u0631 \u0647\u0646\u062f\u0633\u064a\u0629 \u0644\u0644\u062a\u062e\u0641\u064a\u0641\u060c \u062a\u0638\u0644 \u062a\u0644\u0643 \u0627\u0644\u0645\u0639\u0631\u0641\u0629 \u0646\u0638\u0631\u064a\u0629. \u064a\u0633\u062f\u0651 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0627\u0644\u0641\u062c\u0648\u0629 \u0628\u064a\u0646 \u0627\u0644\u0648\u0639\u064a \u0648\u0627\u0644\u0639\u0645\u0644.<\/p>\n
\u0627\u0644\u0647\u062f\u0641 \u0644\u064a\u0633 \u0628\u0646\u0627\u0621 \u062d\u0635\u0646 \u0645\u0646\u064a\u0639 \u2014 \u0641\u0647\u0630\u0627 \u063a\u064a\u0631 \u0645\u0648\u062c\u0648\u062f. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u0646\u0631\u0643\u0632 \u0639\u0644\u0649 \u062a\u0642\u0644\u064a\u0644 \u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645\u060c \u0648\u0627\u0644\u062d\u062f \u0645\u0646 \u0646\u0637\u0627\u0642 \u0627\u0644\u0636\u0631\u0631 \u0639\u0646\u062f\u0645\u0627 \u064a\u062d\u062f\u062b \u062e\u0637\u0623 \u0645\u0627\u060c \u0648\u062c\u0639\u0644 \u0627\u0644\u0640 pipelines \u0645\u0631\u0646\u0629 \u0628\u0645\u0627 \u064a\u0643\u0641\u064a \u0644\u0644\u062a\u0639\u0627\u0641\u064a \u0628\u0633\u0631\u0639\u0629. \u0643\u0644 \u0639\u0646\u0635\u0631 \u062a\u062d\u0643\u0645 \u0645\u0648\u0635\u0648\u0641 \u0647\u0646\u0627 \u064a\u0631\u062a\u0628\u0637 \u0628\u0623\u0646\u0645\u0627\u0637 \u0647\u062c\u0648\u0645 \u062d\u0642\u064a\u0642\u064a\u0629: \u0627\u0644\u0640 pipelines \u0627\u0644\u0645\u0633\u0645\u0648\u0645\u0629\u060c \u0648\u0633\u0631\u0642\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\u060c \u0648\u0627\u062e\u062a\u0637\u0627\u0641 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a\u060c \u0648\u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a.<\/p>\n
\u0633\u0646\u0633\u062a\u0639\u0631\u0636 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0628\u0637\u0628\u0642\u0629 \u2014 \u0645\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a \u0625\u0644\u0649 \u0648\u0642\u062a \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u2014 \u062b\u0645 \u0646\u063a\u0637\u064a \u0642\u062f\u0631\u0627\u062a \u0627\u0644\u0643\u0634\u0641 \u0648\u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0644\u0644\u062d\u0648\u0627\u062f\u062b \u0627\u0644\u062a\u064a \u062a\u064f\u063a\u0644\u0642 \u0627\u0644\u062d\u0644\u0642\u0629. \u0633\u0648\u0627\u0621 \u0643\u0646\u062a \u062a\u0624\u0645\u0651\u0646 GitHub Actions \u0623\u0648 GitLab CI \u0623\u0648 Jenkins \u0623\u0648 \u0623\u064a \u0645\u0646\u0635\u0629 CI\/CD \u0623\u062e\u0631\u0649\u060c \u062a\u0638\u0644 \u0627\u0644\u0645\u0628\u0627\u062f\u0626 \u0648\u0627\u062d\u062f\u0629.<\/p>\n
\u0644\u0627 \u064a\u0643\u0641\u064a \u0639\u0646\u0635\u0631 \u062a\u062d\u0643\u0645 \u0623\u0645\u0646\u064a \u0648\u0627\u062d\u062f \u0644\u062d\u0645\u0627\u064a\u0629 CI\/CD pipeline. \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0645\u0628\u062f\u0639\u0648\u0646\u060c \u0648\u0633\u064a\u062c\u062f\u0648\u0646 \u0627\u0644\u062b\u063a\u0631\u0629 \u0641\u064a \u0623\u064a \u062f\u0641\u0627\u0639 \u0623\u062d\u0627\u062f\u064a \u0627\u0644\u0637\u0628\u0642\u0629. \u0627\u0644\u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0629 \u0627\u0644\u0648\u062d\u064a\u062f\u0629 \u0627\u0644\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0637\u0628\u064a\u0642 \u0647\u064a \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0637\u0628\u0642\u0627\u062a: \u0639\u0646\u0627\u0635\u0631 \u062a\u062d\u0643\u0645 \u0645\u062a\u062f\u0627\u062e\u0644\u0629 \u0641\u064a \u0643\u0644 \u0645\u0631\u062d\u0644\u0629 \u0645\u0646 \u062f\u0648\u0631\u0629 \u062d\u064a\u0627\u0629 \u062a\u0633\u0644\u064a\u0645 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a.<\/p>\n
\u062a\u0648\u0641\u0631 \u0642\u0627\u0626\u0645\u0629 OWASP Top 10 CI\/CD Security Risks<\/a> \u0625\u0637\u0627\u0631\u0627\u064b \u0645\u0646\u0638\u0645\u0627\u064b \u0644\u0641\u0647\u0645 \u0645\u0627 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u062d\u062f\u062b \u0645\u0646 \u0623\u062e\u0637\u0627\u0621. \u0643\u0644 \u062e\u0637\u0631 \u2014 \u0645\u0646 CICD-SEC-1 (\u0622\u0644\u064a\u0627\u062a \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u062a\u062f\u0641\u0642 \u063a\u064a\u0631 \u0627\u0644\u0643\u0627\u0641\u064a\u0629) \u062d\u062a\u0649 CICD-SEC-10 (\u0639\u062f\u0645 \u0643\u0641\u0627\u064a\u0629 \u0627\u0644\u062a\u0633\u062c\u064a\u0644 \u0648\u0627\u0644\u0631\u0624\u064a\u0629) \u2014 \u064a\u062a\u0637\u0644\u0628 \u062a\u062f\u0627\u0628\u064a\u0631 \u062a\u062e\u0641\u064a\u0641 \u0645\u062d\u062f\u062f\u0629. \u062a\u0645 \u062a\u0646\u0638\u064a\u0645 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0644\u0645\u0639\u0627\u0644\u062c\u0629 \u0647\u0630\u0647 \u0627\u0644\u0645\u062e\u0627\u0637\u0631 \u0628\u0634\u0643\u0644 \u0645\u0646\u0647\u062c\u064a.<\/p>\n \u0641\u0643\u0651\u0631 \u0641\u064a CI\/CD pipeline \u0643\u0633\u0644\u0633\u0644\u0629 \u0645\u0646 \u062d\u062f\u0648\u062f \u0627\u0644\u062b\u0642\u0629:<\/p>\n \u0644\u0643\u0644 \u0637\u0628\u0642\u0629 \u062a\u0647\u062f\u064a\u062f\u0627\u062a \u0645\u0645\u064a\u0632\u0629 \u0648\u062a\u062a\u0637\u0644\u0628 \u062f\u0641\u0627\u0639\u0627\u062a \u0645\u0645\u064a\u0632\u0629. \u0644\u0627 \u064a\u0646\u0628\u063a\u064a \u0623\u0646 \u064a\u062a\u0633\u0644\u0633\u0644 \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0641\u064a \u0637\u0628\u0642\u0629 \u0648\u0627\u062d\u062f\u0629 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0625\u0644\u0649 \u0627\u0644\u0637\u0628\u0642\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629.<\/p>\n \u0637\u0628\u0642\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u0647\u064a \u062d\u064a\u062b \u062a\u0628\u062f\u0623 \u0645\u0639\u0638\u0645 \u0647\u062c\u0645\u0627\u062a CI\/CD. \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u064a\u0645\u0643\u0646\u0647 \u062a\u0639\u062f\u064a\u0644 \u0627\u0644\u0643\u0648\u062f \u0623\u0648 \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u0640 pipeline \u0623\u0648 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u064a\u062a\u062d\u0643\u0645 \u0641\u064a\u0645\u0627 \u064a\u0646\u0641\u0630\u0647 \u0627\u0644\u0640 pipeline. \u062a\u0636\u0645\u0646 \u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u0623\u0646 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0645\u064f\u0635\u0631\u0651\u062d \u0628\u0647\u0627 \u0648\u0627\u0644\u0645\u064f\u0631\u0627\u062c\u064e\u0639\u0629 \u0648\u0627\u0644\u0645\u064f\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0641\u0642\u0637 \u0647\u064a \u0627\u0644\u062a\u064a \u062a\u062f\u062e\u0644 \u0627\u0644\u0640 pipeline.<\/p>\n \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0641\u0631\u0648\u0639 \u0647\u064a \u062e\u0637 \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0623\u0648\u0644. \u0643\u062d\u062f \u0623\u062f\u0646\u0649\u060c \u064a\u062c\u0628 \u0623\u0646 \u062a\u0641\u0631\u0636 \u0641\u0631\u0648\u0639 main \u0648\u0627\u0644\u0625\u0635\u062f\u0627\u0631:<\/p>\n \u0644\u064a\u0633\u062a \u0643\u0644 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0641\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u062a\u062d\u0645\u0644 \u0646\u0641\u0633 \u0627\u0644\u0645\u062e\u0627\u0637\u0631. \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u0640 pipeline \u0648\u0642\u0648\u0627\u0644\u0628 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0643\u0640 code \u0648\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0647\u064a \u0623\u0647\u062f\u0627\u0641 \u0639\u0627\u0644\u064a\u0629 \u0627\u0644\u0642\u064a\u0645\u0629. \u0627\u0633\u062a\u062e\u062f\u0645 CODEOWNERS \u0644\u0637\u0644\u0628 \u0645\u0631\u0627\u062c\u0639\u0629 \u0645\u0646 \u0641\u0631\u0642 \u0645\u062d\u062f\u062f\u0629 \u0644\u0644\u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u062d\u0633\u0627\u0633\u0629:<\/p>\n \u064a\u0648\u0641\u0631 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645\u0627\u062a \u062f\u0644\u064a\u0644\u0627\u064b \u062a\u0634\u0641\u064a\u0631\u064a\u0627\u064b \u0639\u0644\u0649 \u0627\u0644\u062a\u0623\u0644\u064a\u0641. \u0628\u062f\u0648\u0646\u0647\u060c \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u064a\u062e\u062a\u0631\u0642 \u0631\u0645\u0632 \u0648\u0635\u0648\u0644 \u0645\u0637\u0648\u0631 \u0623\u0646 \u064a\u062f\u0641\u0639 \u0627\u0644\u062a\u0632\u0627\u0645\u0627\u062a \u062a\u0628\u062f\u0648 \u0648\u0643\u0623\u0646\u0647\u0627 \u0645\u0646 \u0623\u064a \u0634\u062e\u0635. \u0641\u0639\u0651\u0644 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645\u0627\u062a \u0639\u0644\u0649 \u0627\u0644\u0641\u0631\u0648\u0639 \u0627\u0644\u0645\u062d\u0645\u064a\u0629 \u0644\u0636\u0645\u0627\u0646 \u062a\u0648\u0642\u064a\u0639 \u0643\u0644 \u0627\u0644\u062a\u0632\u0627\u0645 \u0628\u0645\u0641\u062a\u0627\u062d GPG \u0623\u0648 SSH \u0645\u0648\u062b\u0642.<\/p>\n \u0645\u0631\u0627\u062c\u0639\u0629 \u0627\u0644\u0643\u0648\u062f \u0647\u064a \u062a\u062d\u0643\u0645 \u0628\u0634\u0631\u064a\u060c \u0648\u064a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u062d\u0648\u0627\u062c\u0632 \u062d\u0645\u0627\u064a\u0629:<\/p>\n \u0644\u064a\u0633 \u0643\u0644 \u062d\u062f\u062b \u064a\u062c\u0628 \u0623\u0646 \u064a\u064f\u0634\u063a\u0651\u0644 \u062a\u0634\u063a\u064a\u0644\u0627\u064b \u0643\u0627\u0645\u0644\u0627\u064b \u0644\u0644\u0640 pipeline\u060c \u062e\u0627\u0635\u0629 \u0648\u0627\u062d\u062f\u0627\u064b \u064a\u0645\u0644\u0643 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0623\u0633\u0631\u0627\u0631:<\/p>\n \u0637\u0628\u0642\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0647\u064a \u062d\u064a\u062b \u064a\u0635\u0628\u062d \u0627\u0644\u0643\u0648\u062f \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u0646\u0641\u064a\u0630. \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0647\u0646\u0627 \u064a\u0639\u0646\u064a \u0623\u0646 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u064a\u0645\u0643\u0646\u0647 \u062d\u0642\u0646 \u0645\u0646\u0637\u0642 \u062e\u0628\u064a\u062b \u0641\u064a \u0645\u062e\u0631\u062c\u0627\u062a\u0643 \u062f\u0648\u0646 \u062a\u0639\u062f\u064a\u0644 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u064a. \u062a\u0631\u0643\u0632 \u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0639\u0644\u0649 \u0627\u0644\u0639\u0632\u0644 \u0648\u0627\u0644\u0637\u0628\u064a\u0639\u0629 \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u0648\u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u062f\u0646\u064a\u0627.<\/p>\n \u062a\u062a\u0631\u0627\u0643\u0645 \u0641\u064a \u0645\u0634\u063a\u0651\u0644\u0627\u062a CI \u0627\u0644\u062f\u0627\u0626\u0645\u0629 \u062d\u0627\u0644\u0629: \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062e\u0632\u0646\u0629 \u0645\u0624\u0642\u062a\u0627\u064b\u060c \u0648\u0645\u0644\u0641\u0627\u062a \u0645\u062a\u0628\u0642\u064a\u0629 \u0645\u0646 \u0628\u0646\u0627\u0621\u0627\u062a \u0633\u0627\u0628\u0642\u0629\u060c \u0648\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0628\u064a\u0626\u0629 \u062a\u062a\u0633\u0631\u0628 \u0628\u064a\u0646 \u0627\u0644\u0645\u0647\u0627\u0645. \u062a\u0642\u0636\u064a \u0627\u0644\u0645\u0634\u063a\u0651\u0644\u0627\u062a \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u0639\u0644\u0649 \u0647\u0630\u0647 \u0627\u0644\u0641\u0626\u0629 \u0645\u0646 \u0627\u0644\u0645\u062e\u0627\u0637\u0631 \u062a\u0645\u0627\u0645\u0627\u064b \u0645\u0646 \u062e\u0644\u0627\u0644 \u062a\u0648\u0641\u064a\u0631 VM \u0623\u0648 \u062d\u0627\u0648\u064a\u0629 \u062c\u062f\u064a\u062f\u0629 \u0644\u0643\u0644 \u0645\u0647\u0645\u0629 \u0648\u062a\u062f\u0645\u064a\u0631\u0647\u0627 \u0641\u0648\u0631\u0627\u064b \u0628\u0639\u062f \u0630\u0644\u0643.<\/p>\n \u062d\u062a\u0649 \u0645\u0639 \u0627\u0644\u0645\u0634\u063a\u0651\u0644\u0627\u062a \u0627\u0644\u0645\u0624\u0642\u062a\u0629\u060c \u064a\u0645\u0643\u0646 \u0644\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u062a\u0634\u0627\u0631\u0643 \u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0645\u0624\u0642\u062a \u0623\u0648 \u0646\u0637\u0627\u0642\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0623\u0646 \u062a\u0633\u0631\u0651\u0628 \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0628\u064a\u0646 \u0627\u0644\u0645\u0647\u0627\u0645. \u062a\u0623\u0643\u062f \u0645\u0646:<\/p>\n \u064a\u0645\u0643\u0646 \u0644\u062e\u0637\u0648\u0629 \u0628\u0646\u0627\u0621 \u0645\u062e\u062a\u0631\u0642\u0629 \u0630\u0627\u062a \u0635\u0644\u0627\u062d\u064a\u0629 \u0648\u0635\u0648\u0644 \u063a\u064a\u0631 \u0645\u0642\u064a\u062f\u0629 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629 \u0623\u0646 \u062a\u0633\u0631\u0651\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0625\u0644\u0649 \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629 \u064a\u062a\u062d\u0643\u0645 \u0641\u064a\u0647\u0627 \u0627\u0644\u0645\u0647\u0627\u062c\u0645. \u0642\u064a\u0651\u062f \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0635\u0627\u062f\u0631 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629:<\/p>\n \u0643\u0644 \u0623\u062f\u0627\u0629 \u0645\u062b\u0628\u062a\u0629 \u0641\u064a \u0635\u0648\u0631\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0647\u064a \u0633\u0637\u062d \u0647\u062c\u0648\u0645 \u0645\u062d\u062a\u0645\u0644. \u062c\u0631\u0651\u062f \u0635\u0648\u0631 \u0627\u0644\u0628\u0646\u0627\u0621 \u0625\u0644\u0649 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649:<\/p>\n \u0627\u0644\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062a\u0641\u0635\u064a\u0644\u064a \u0648\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u0637\u0648\u0644\u0629 \u0644\u0627 \u062a\u0642\u062f\u0631 \u0628\u062b\u0645\u0646 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u0637\u0648\u064a\u0631 \u0644\u0643\u0646\u0647\u0627 \u062e\u0637\u064a\u0631\u0629 \u0641\u064a pipelines \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u064a\u0645\u0643\u0646\u0647\u0627 \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0648\u0627\u0644\u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0648\u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629. \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0639\u0637\u064a\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0647\u064a \u0627\u0644\u0647\u062f\u0641 \u0627\u0644\u0623\u0643\u062b\u0631 \u0642\u064a\u0645\u0629 \u0641\u064a \u0623\u064a CI\/CD pipeline. \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u064a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0645\u0641\u062a\u0627\u062d \u0648\u0635\u0648\u0644 \u0633\u062d\u0627\u0628\u064a \u0623\u0648 \u0631\u0645\u0632 \u0646\u0634\u0631 \u0623\u0648 \u0633\u0631 API \u064a\u0645\u0643\u0646\u0647 \u0627\u0644\u062a\u062d\u0648\u0644 \u0628\u0639\u064a\u062f\u0627\u064b \u0639\u0646 \u0627\u0644\u0640 pipeline \u0646\u0641\u0633\u0647. \u062a\u0631\u0643\u0632 \u062f\u0641\u0627\u0639\u0627\u062a \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0639\u0644\u0649 \u062a\u0642\u0644\u064a\u0644 \u0645\u0627 \u0647\u0648 \u0645\u0648\u062c\u0648\u062f\u060c \u0648\u0645\u0627 \u064a\u0645\u0643\u0646 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u064a\u0647\u060c \u0648\u0644\u0643\u0645 \u0645\u0646 \u0627\u0644\u0648\u0642\u062a.<\/p>\n \u064a\u0645\u062a\u0644\u0643 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u0645\u062f \u0627\u0644\u0645\u062e\u0632\u0646\u0629 \u0641\u064a \u0623\u0646\u0638\u0645\u0629 CI\/CD \u0647\u064a \u0642\u0646\u0627\u0628\u0644 \u0645\u0648\u0642\u0648\u062a\u0629. \u0627\u0633\u062a\u0628\u062f\u0644\u0647\u0627 \u0628\u0640 OIDC-based workload identity federation \u062d\u064a\u062b\u0645\u0627 \u0623\u0645\u0643\u0646:<\/p>\n \u0645\u0639 OIDC\u060c \u062a\u0635\u062f\u0631 \u0645\u0646\u0635\u0629 CI\/CD \u0631\u0645\u0632 JWT \u0642\u0635\u064a\u0631 \u0627\u0644\u0623\u0645\u062f\u060c \u0648\u064a\u0633\u062a\u0628\u062f\u0644\u0647 \u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0624\u0642\u062a\u0629. \u0644\u0627 \u064a\u062a\u0645 \u062a\u062e\u0632\u064a\u0646 \u0623\u0633\u0631\u0627\u0631 \u062b\u0627\u0628\u062a\u0629 \u0641\u064a \u0623\u064a \u0645\u0643\u0627\u0646.<\/p>\n \u0645\u062c\u0645\u0648\u0639\u0629 \u0648\u0627\u062d\u062f\u0629 \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0634\u062a\u0631\u0643\u0629 \u0639\u0628\u0631 \u062c\u0645\u064a\u0639 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u062a\u0639\u0646\u064a \u0646\u0637\u0627\u0642 \u0636\u0631\u0631 \u0643\u0627\u0631\u062b\u064a. \u0642\u0633\u0651\u0645 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f:<\/p>\n \u0644\u0627 \u064a\u0646\u0628\u063a\u064a \u0623\u0628\u062f\u0627\u064b \u0623\u0646 \u062a\u0645\u0644\u0643 pull requests \u0645\u0646 \u0627\u0644\u0640 forks \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639. \u0647\u0630\u0627 \u062e\u0637\u0623 \u0634\u0627\u0626\u0639 \u0641\u064a \u0627\u0644\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u064a\u0645\u0643\u0651\u0646 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0645\u0646 \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0628\u062a\u0642\u062f\u064a\u0645 PR \u062e\u0628\u064a\u062b. \u0641\u064a GitHub Actions\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u062a\u064a \u0644\u0627 \u064a\u0645\u0643\u0646\u0647\u0627 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 OIDC (\u0643\u0644\u0645\u0627\u062a \u0645\u0631\u0648\u0631 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\u060c \u0645\u0641\u0627\u062a\u064a\u062d API \u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u0637\u0631\u0641 \u0627\u0644\u062b\u0627\u0644\u062b)\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u062f\u064a\u0631 \u0623\u0633\u0631\u0627\u0631 \u0645\u062b\u0644 HashiCorp Vault \u0645\u0639 \u0623\u0633\u0631\u0627\u0631 \u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629 \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0623\u0645\u062f:<\/p>\n \u062a\u064f\u0646\u0634\u0623 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629 \u0639\u0646\u062f \u0627\u0644\u0637\u0644\u0628\u060c \u0648\u0645\u062d\u062f\u062f\u0629 \u0627\u0644\u0646\u0637\u0627\u0642 \u0644\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0637\u0627\u0644\u0628\u0629\u060c \u0648\u062a\u064f\u0644\u063a\u0649 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0639\u0646\u062f \u0627\u0646\u062a\u0647\u0627\u0621 \u0635\u0644\u0627\u062d\u064a\u062a\u0647\u0627. \u062d\u062a\u0649 \u0644\u0648 \u062a\u0633\u0631\u0628\u062a\u060c \u062a\u064f\u0642\u0627\u0633 \u0646\u0627\u0641\u0630\u0629 \u0627\u0644\u062a\u0639\u0631\u0636 \u0628\u0627\u0644\u062f\u0642\u0627\u0626\u0642\u060c \u0648\u0644\u064a\u0633 \u0628\u0627\u0644\u0623\u0634\u0647\u0631.<\/p>\n \u064a\u062c\u0628 \u0623\u0646 \u062a\u0648\u0644\u0651\u062f \u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u0627\u0633\u062a\u0631\u062f\u0627\u062f \u0633\u0631 \u0625\u062f\u062e\u0627\u0644\u0627\u064b \u0641\u064a \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642. \u0625\u0630\u0627 \u0644\u0645 \u064a\u0633\u062c\u0644 \u0645\u062f\u064a\u0631 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0648\u0635\u0648\u0644\u060c \u0641\u0644\u064a\u0633 \u0644\u062f\u064a\u0643 \u0637\u0631\u064a\u0642\u0629 \u0644\u0644\u062a\u062d\u0642\u064a\u0642 \u0641\u064a \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642. \u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u062a\u0644\u062a\u0642\u0637: \u0645\u0646 \u0648\u0635\u0644 \u0625\u0644\u0649 \u0645\u0627\u0630\u0627\u060c \u0648\u0645\u062a\u0649\u060c \u0648\u0645\u0646 \u0623\u064a \u062a\u0634\u063a\u064a\u0644 pipeline\u060c \u0648\u0645\u0646 \u0623\u064a \u0639\u0646\u0648\u0627\u0646 IP.<\/p>\n \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u2014 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0627\u062a \u0648\u0627\u0644\u062d\u0632\u0645 \u2014 \u0647\u064a \u0627\u0644\u062c\u0633\u0631 \u0628\u064a\u0646 \u0627\u0644\u0640 pipeline \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0648\u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0625\u0630\u0627 \u062a\u0645\u0643\u0646 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0645\u0646 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0628\u0639\u062f \u0628\u0646\u0627\u0626\u0647\u0627\u060c \u062a\u0635\u0628\u062d \u062c\u0645\u064a\u0639 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0627\u0644\u0633\u0627\u0628\u0642\u0629 \u0628\u0644\u0627 \u062c\u062f\u0648\u0649. \u062a\u0636\u0645\u0646 \u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0633\u0644\u0627\u0645\u0629 \u0648\u0627\u0644\u0645\u0646\u0634\u0623 \u0648\u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631.<\/p>\n \u064a\u0648\u0641\u0631 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u062f\u0644\u064a\u0644\u0627\u064b \u062a\u0634\u0641\u064a\u0631\u064a\u0627\u064b \u0639\u0644\u0649 \u0623\u0646 \u0627\u0644\u0645\u062e\u0631\u062c \u0623\u064f\u0646\u062a\u062c \u0628\u0648\u0627\u0633\u0637\u0629 \u0627\u0644\u0640 pipeline \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0648\u0644\u0645 \u064a\u064f\u0639\u062f\u0651\u0644 \u0645\u0646\u0630 \u0630\u0644\u0643 \u0627\u0644\u062d\u064a\u0646. \u064a\u062c\u0639\u0644 Cosign \u0645\u0646 Sigstore \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u062a\u0627\u062d \u0639\u0645\u0644\u064a\u0627\u064b:<\/p>\n \u0645\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u062a\u0627\u062d\u060c \u064a\u0643\u0648\u0646 \u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0645\u0624\u0642\u062a\u0627\u064b \u0648\u0645\u0631\u062a\u0628\u0637\u0627\u064b \u0628\u0647\u0648\u064a\u0629 OIDC \u0644\u0640 workflow \u0627\u0644\u0640 CI\/CD. \u0644\u0627 \u064a\u0648\u062c\u062f \u0645\u0641\u062a\u0627\u062d \u062a\u0648\u0642\u064a\u0639 \u0637\u0648\u064a\u0644 \u0627\u0644\u0623\u0645\u062f \u064a\u0645\u0643\u0646 \u0633\u0631\u0642\u062a\u0647.<\/p>\n \u064a\u0633\u062c\u0644 SLSA (Supply-chain Levels for Software Artifacts) provenance \u0643\u064a\u0641 \u0648\u0623\u064a\u0646 \u0648\u0645\u0646 \u0628\u0646\u0649 \u0627\u0644\u0645\u062e\u0631\u062c. \u0641\u064a SLSA Level 3\u060c \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0640 provenance \u0628\u0648\u0627\u0633\u0637\u0629 \u0645\u0646\u0635\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0646\u0641\u0633\u0647\u0627 \u0648\u0644\u0627 \u064a\u0645\u0643\u0646 \u062a\u0632\u0648\u064a\u0631\u0647 \u0645\u0646 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621:<\/p>\n \u0644\u0627 \u064a\u0646\u0628\u063a\u064a \u0623\u0628\u062f\u0627\u064b \u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0641\u0648\u0642 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u0646\u0634\u0648\u0631\u0629. \u0625\u0630\u0627 \u062a\u0645\u0643\u0646 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0645\u0646 \u0627\u0633\u062a\u0628\u062f\u0627\u0644 \u0625\u0635\u062f\u0627\u0631 \u0645\u0646\u0634\u0648\u0631\u060c \u064a\u0645\u0643\u0646\u0647 \u062d\u0642\u0646 \u0643\u0648\u062f \u062e\u0628\u064a\u062b \u0641\u064a \u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u0646\u0634\u0631 \u062a\u0634\u064a\u0631 \u0625\u0644\u0649 \u0630\u0644\u0643 \u0627\u0644\u0625\u0635\u062f\u0627\u0631. \u0627\u0636\u0628\u0637 \u0633\u062c\u0644\u0627\u062a\u0643 \u0644\u0639\u062f\u0645 \u0627\u0644\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631:<\/p>\n \u062a\u0633\u0631\u062f \u0642\u0627\u0626\u0645\u0629 \u0645\u0648\u0627\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a (SBOM) \u0643\u0644 \u0645\u0643\u0648\u0646 \u0641\u064a \u0627\u0644\u0645\u062e\u0631\u062c \u0627\u0644\u062e\u0627\u0635 \u0628\u0643. \u0625\u0646\u0634\u0627\u0621 SBOM \u0641\u064a \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u062a\u0635\u062f\u064a\u0642 \u0639\u0644\u064a\u0647\u0627 \u0645\u0639 \u0627\u0644\u0645\u062e\u0631\u062c \u064a\u0646\u0634\u0626 \u062c\u0631\u062f\u0627\u064b \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u062d\u0642\u0642 \u0644\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u062b\u063a\u0631\u0627\u062a:<\/p>\n \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0645\u0641\u064a\u062f \u0641\u0642\u0637 \u0625\u0630\u0627 \u062a\u062d\u0642\u0642\u062a \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631. \u0627\u0633\u062a\u062e\u062f\u0645 \u0648\u062d\u062f\u0627\u062a \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0642\u0628\u0648\u0644 \u0641\u064a Kubernetes \u0644\u0641\u0631\u0636 \u0630\u0644\u0643 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b:<\/p>\n \u0645\u0639 \u0647\u0630\u0647 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u0645\u0639\u0645\u0648\u0644 \u0628\u0647\u0627\u060c \u0633\u064a\u062a\u0645 \u0631\u0641\u0636 \u0623\u064a \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u062a\u0641\u062a\u0642\u0631 \u0625\u0644\u0649 \u062a\u0648\u0642\u064a\u0639 Cosign \u0635\u0627\u0644\u062d \u0645\u0646 workflows GitHub Actions \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0641\u064a \u0648\u0642\u062a \u0627\u0644\u0642\u0628\u0648\u0644 \u2014 \u0642\u0628\u0644 \u0623\u0646 \u062a\u0639\u0645\u0644 \u0641\u064a \u0645\u062c\u0645\u0648\u0639\u062a\u0643.<\/p>\n \u0637\u0628\u0642\u0629 \u0627\u0644\u0646\u0634\u0631 \u0647\u064a \u0627\u0644\u0628\u0648\u0627\u0628\u0629 \u0627\u0644\u0623\u062e\u064a\u0631\u0629 \u0642\u0628\u0644 \u0648\u0635\u0648\u0644 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0625\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u062a\u0636\u0645\u0646 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0647\u0646\u0627 \u0623\u0646 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u064f\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0648\u0627\u0644\u0645\u0639\u062a\u0645\u062f\u0629 \u0641\u0642\u0637 \u064a\u062a\u0645 \u0646\u0634\u0631\u0647\u0627\u060c \u0648\u0623\u0646 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0646\u0634\u0631 \u0646\u0641\u0633\u0647\u0627 \u0645\u064f\u062a\u062d\u0643\u0645 \u0628\u0647\u0627 \u0648\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062f\u0642\u064a\u0642.<\/p>\n \u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0646\u0634\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u060c \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u0648\u0642\u0641 \u0627\u0644\u0640 pipelines \u0627\u0644\u0622\u0644\u064a\u0629 \u0648\u062a\u062a\u0637\u0644\u0628 \u0645\u0648\u0627\u0641\u0642\u0629 \u0628\u0634\u0631\u064a\u0629 \u0635\u0631\u064a\u062d\u0629. \u064a\u0648\u0641\u0631 \u0647\u0630\u0627 \u0646\u0642\u0637\u0629 \u0641\u062d\u0635 \u0646\u0647\u0627\u0626\u064a\u0629 \u062d\u064a\u062b \u064a\u0645\u0643\u0646 \u0644\u0644\u0625\u0646\u0633\u0627\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639 \u0648\u0645\u062e\u062a\u0628\u0631 \u0648\u0645\u064f\u0635\u0631\u0651\u062d \u0628\u0647.<\/p>\n \u0641\u064a \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0645\u0633\u062a\u0648\u062f\u0639 GitHub\u060c \u0627\u0636\u0628\u0637 \u0628\u064a\u0626\u0629 “production” \u0644\u062a\u062a\u0637\u0644\u0628 \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0629 \u0645\u0646 \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u064a\u0646 \u0627\u0644\u0645\u0639\u064a\u0646\u064a\u0646 \u0642\u0628\u0644 \u0645\u062a\u0627\u0628\u0639\u0629 \u0627\u0644\u0645\u0647\u0645\u0629.<\/p>\n \u062a\u062f\u0641\u0639 pipelines CI\/CD \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a\u0629 \u0625\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0627\u062c: \u064a\u0645\u062a\u0644\u0643 \u0627\u0644\u0640 pipeline \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0644\u062a\u0639\u062f\u064a\u0644 \u0628\u0646\u064a\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0627\u0644\u062a\u062d\u062a\u064a\u0629. \u0647\u0630\u0627 \u0633\u0637\u062d \u0647\u062c\u0648\u0645 \u0643\u0628\u064a\u0631. \u064a\u0639\u0643\u0633 GitOps \u0645\u0639 \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0633\u062d\u0628 \u0627\u0644\u0646\u0645\u0648\u0630\u062c:<\/p>\n \u062d\u062a\u0649 \u0645\u0639 \u062c\u0645\u064a\u0639 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0627\u0644\u0633\u0627\u0628\u0642\u0629\u060c \u064a\u0645\u0643\u0646 \u0644\u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0646\u0634\u0631 \u0623\u0646 \u062a\u0633\u0628\u0628 \u0645\u0634\u0627\u0643\u0644. \u064a\u062d\u062f \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u062a\u062f\u0631\u064a\u062c\u064a (Canary) \u0645\u0646 \u0627\u0644\u062a\u0639\u0631\u0636 \u0628\u0646\u0634\u0631 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0625\u0644\u0649 \u0646\u0633\u0628\u0629 \u0635\u063a\u064a\u0631\u0629 \u0645\u0646 \u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0623\u0648\u0644\u0627\u064b. \u0625\u0630\u0627 \u062a\u062f\u0647\u0648\u0631\u062a \u0627\u0644\u0645\u0642\u0627\u064a\u064a\u0633\u060c \u064a\u0639\u064a\u062f \u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u0627\u0644\u0622\u0644\u064a \u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0642\u0628\u0644 \u0623\u0646 \u064a\u0624\u062b\u0631 \u0639\u0644\u0649 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u064a\u0646.<\/p>\n \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062d\u0648\u0627\u062f\u062b \u0627\u0644\u0646\u0634\u0637\u0629 \u0623\u0648 \u0646\u0648\u0627\u0641\u0630 \u0627\u0644\u0635\u064a\u0627\u0646\u0629 \u0623\u0648 \u0641\u062a\u0631\u0627\u062a \u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u0639\u0627\u0644\u064a\u0629\u060c \u064a\u062c\u0628 \u062a\u062c\u0645\u064a\u062f \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631. \u0646\u0641\u0651\u0630 \u0633\u064a\u0627\u0633\u0627\u062a \u062a\u062c\u0645\u064a\u062f \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u062a\u064a \u062a\u0645\u0646\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u062a\u064a \u064a\u0628\u062f\u0623\u0647\u0627 \u0627\u0644\u0640 pipeline \u062e\u0644\u0627\u0644 \u0646\u0648\u0627\u0641\u0630 \u0645\u062d\u062f\u062f\u0629\u060c \u0648\u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u0645\u062f\u064a\u0631\u064a \u0627\u0644\u062d\u0648\u0627\u062f\u062b \u0627\u0644\u0645\u0639\u064a\u0646\u064a\u0646 \u0641\u0642\u0637 \u064a\u0645\u0643\u0646\u0647\u0645 \u062a\u062c\u0627\u0648\u0632 \u0627\u0644\u062a\u062c\u0645\u064a\u062f.<\/p>\n \u0633\u062a\u0641\u0634\u0644 \u0627\u0644\u0648\u0642\u0627\u064a\u0629 \u0641\u064a \u0627\u0644\u0646\u0647\u0627\u064a\u0629. \u062a\u062d\u062f\u062f \u0642\u062f\u0631\u0627\u062a \u0627\u0644\u0643\u0634\u0641 \u0645\u0627 \u0625\u0630\u0627 \u0643\u0646\u062a \u0633\u062a\u0644\u062a\u0642\u0637 \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0641\u064a \u062f\u0642\u0627\u0626\u0642 \u0623\u0648 \u0623\u0634\u0647\u0631. \u0645\u0631\u0627\u0642\u0628\u0629 CI\/CD \u0647\u064a \u0646\u0642\u0637\u0629 \u0639\u0645\u064a\u0627\u0621 \u0644\u062f\u0649 \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u2014 \u062a\u0633\u062a\u0648\u0639\u0628 SIEM \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647\u0645 \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0648\u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0644\u0643\u0646\u0647\u0627 \u062a\u062a\u062c\u0627\u0647\u0644 \u0627\u0644\u0642\u064a\u0627\u0633\u0627\u062a \u0639\u0646 \u0628\u0639\u062f \u0644\u0644\u0640 pipeline \u062a\u0645\u0627\u0645\u0627\u064b.<\/p>\n \u0623\u0646\u0634\u0626 \u062e\u0637\u0648\u0637 \u0623\u0633\u0627\u0633 \u0644\u0633\u0644\u0648\u0643 pipeline \u0627\u0644\u0637\u0628\u064a\u0639\u064a \u0648\u0646\u0628\u0651\u0647 \u0639\u0646\u062f \u0627\u0644\u0627\u0646\u062d\u0631\u0627\u0641\u0627\u062a:<\/p>\n \u064a\u062c\u0628 \u0623\u0646 \u062a\u064f\u0637\u0644\u0642 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u0627\u0644\u0645\u0636\u0627\u0641\u0629 \u0641\u064a PRs \u0645\u0631\u0627\u062c\u0639\u0629 \u0622\u0644\u064a\u0629 \u0648\u062a\u0646\u0628\u064a\u0647\u0627\u064b. \u064a\u0645\u0643\u0646 \u0644\u0623\u062f\u0627\u0629 \u0641\u0631\u0642 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0623\u0646:<\/p>\n \u062a\u062a\u0633\u0631\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645\u0627\u062a \u0648\u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0648\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a. \u0637\u0628\u0651\u0642 \u0639\u062f\u0629 \u0645\u0646\u0627\u0647\u062c \u0641\u062d\u0635 \u0645\u062a\u0637\u0627\u0628\u0642\u0629:<\/p>\n \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u063a\u064a\u0631 \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u0640 Pipeline \u0645\u0646 \u062e\u0644\u0627\u0644 \u0639\u0645\u0644\u064a\u0629 PR \u0627\u0644\u0639\u0627\u062f\u064a\u0629. \u0631\u0627\u0642\u0628 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n \u0623\u0639\u062f \u062a\u0648\u062c\u064a\u0647 \u0633\u062c\u0644\u0627\u062a \u062a\u062f\u0642\u064a\u0642 CI\/CD \u0625\u0644\u0649 SIEM \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u062c\u0646\u0628\u0627\u064b \u0625\u0644\u0649 \u062c\u0646\u0628 \u0645\u0639 \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0648\u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629. \u062a\u0634\u0645\u0644 \u0645\u0635\u0627\u062f\u0631 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629:<\/p>\n \u0627\u0631\u0628\u0637 \u0646\u0634\u0627\u0637 \u0627\u0644\u0640 pipeline \u0628\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0627\u0644\u0633\u062d\u0627\u0628\u064a\u0629. \u0625\u0630\u0627 \u062a\u0632\u0627\u0645\u0646 \u062a\u0634\u063a\u064a\u0644 pipeline \u0645\u0639 \u062a\u0639\u062f\u064a\u0644\u0627\u062a \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639\u0629 \u0641\u064a \u0633\u064a\u0627\u0633\u0627\u062a IAM \u0623\u0648 \u0625\u0646\u0634\u0627\u0621 \u0645\u0648\u0627\u0631\u062f\u060c \u0641\u0647\u0630\u0627 \u062a\u0646\u0628\u064a\u0647 \u0630\u0648 \u0623\u0648\u0644\u0648\u064a\u0629 \u0639\u0627\u0644\u064a\u0629.<\/p>\n \u0639\u0646\u062f\u0645\u0627 \u064a\u062a\u0645 \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u062e\u062a\u0631\u0627\u0642 CI\/CD \u2014 \u0623\u0648 \u0627\u0644\u0627\u0634\u062a\u0628\u0627\u0647 \u0628\u0647 \u2014 \u062a\u0643\u0648\u0646 \u0627\u0644\u0633\u0631\u0639\u0629 \u0645\u0647\u0645\u0629. \u0642\u062f \u064a\u0643\u0648\u0646 \u0644\u062f\u0649 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0648\u0635\u0648\u0644 \u0646\u0634\u0637 \u0644\u0627 \u064a\u0632\u0627\u0644\u060c \u0648\u0643\u0644 \u062f\u0642\u064a\u0642\u0629 \u062a\u0623\u062e\u064a\u0631 \u062a\u0648\u0633\u0639 \u0646\u0637\u0627\u0642 \u0627\u0644\u0636\u0631\u0631. \u062f\u0644\u064a\u0644 \u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0644\u0644\u062d\u0648\u0627\u062f\u062b \u0645\u064f\u0639\u062f \u0645\u0633\u0628\u0642\u0627\u064b \u0644\u0633\u064a\u0646\u0627\u0631\u064a\u0648\u0647\u0627\u062a CI\/CD \u0627\u0644\u0645\u062d\u062f\u062f\u0629 \u0623\u0645\u0631 \u0636\u0631\u0648\u0631\u064a.<\/p>\n \u062d\u062f\u062f \u0645\u0627 \u0643\u0627\u0646 \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u064a\u0647:<\/p>\n \u062a\u062d\u0642\u0642 \u0645\u0645\u0627 \u0625\u0630\u0627 \u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u0646\u0634\u0648\u0631\u0629:<\/p>\n \u0627\u062c\u0645\u0639 \u0627\u0644\u0623\u062f\u0644\u0629 \u0645\u0646 \u0645\u0635\u0627\u062f\u0631 \u0645\u062a\u0639\u062f\u062f\u0629:<\/p>\n \u0628\u0639\u062f \u0627\u0644\u0627\u062d\u062a\u0648\u0627\u0621 \u0648\u0627\u0644\u062a\u062d\u0642\u064a\u0642\u060c \u0627\u0633\u062a\u0639\u062f \u0627\u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0622\u0645\u0646\u0629:<\/p>\n \u0623\u0645\u0627\u0646 CI\/CD \u0644\u064a\u0633 \u0642\u0627\u0626\u0645\u0629 \u0645\u0631\u0627\u062c\u0639\u0629 \u062a\u064f\u0643\u0645\u0644\u0647\u0627 \u0645\u0631\u0629 \u0648\u062a\u0646\u0633\u0627\u0647\u0627. \u0625\u0646\u0647 \u0645\u0645\u0627\u0631\u0633\u0629 \u0647\u0646\u062f\u0633\u064a\u0629 \u0645\u0633\u062a\u0645\u0631\u0629 \u062a\u062a\u0637\u0648\u0631 \u0645\u0639 \u0627\u0644\u0640 pipelines \u0648\u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0648\u0645\u0634\u0647\u062f \u0627\u0644\u062a\u0647\u062f\u064a\u062f\u0627\u062a. \u0633\u064a\u0633\u062a\u0645\u0631 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0641\u064a \u0627\u0633\u062a\u0647\u062f\u0627\u0641 \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0644\u0623\u0646\u0647\u0627 \u062a\u0648\u0641\u0631 \u0631\u0627\u0641\u0639\u0629 \u0639\u0627\u0644\u064a\u0629 \u2014 pipeline \u0648\u0627\u062d\u062f \u0645\u062e\u062a\u0631\u0642 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u0624\u062b\u0631 \u0639\u0644\u0649 \u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u0646\u0634\u0631 \u0648\u0643\u0644 \u0628\u064a\u0626\u0629 \u0648\u0643\u0644 \u0639\u0645\u064a\u0644.<\/p>\n \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0645\u0646\u0638\u0645\u0629 \u062d\u0633\u0628 \u0627\u0644\u0637\u0628\u0642\u0629\u060c \u0644\u0643\u0646 \u0646\u0642\u0627\u0637 \u0627\u0644\u0628\u062f\u0627\u064a\u0629 \u0627\u0644\u0623\u0643\u062b\u0631 \u062a\u0623\u062b\u064a\u0631\u0627\u064b \u062a\u062a\u0642\u0627\u0637\u0639 \u0639\u0628\u0631 \u0627\u0644\u0637\u0628\u0642\u0627\u062a:<\/p>\n \u0627\u0628\u062f\u0623 \u0628\u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u062a\u062d\u0643\u0645 \u0639\u0627\u0644\u064a\u0629 \u0627\u0644\u062a\u0623\u062b\u064a\u0631 \u0647\u0630\u0647. \u0623\u0636\u0641 \u062f\u0641\u0627\u0639\u0627\u062a \u0625\u0636\u0627\u0641\u064a\u0629 \u0645\u0639 \u0646\u0636\u062c \u0628\u0631\u0646\u0627\u0645\u062c\u0643 \u0627\u0644\u0623\u0645\u0646\u064a. \u0648\u0627\u0641\u062a\u0631\u0636 \u062f\u0627\u0626\u0645\u0627\u064b \u0623\u0646 \u0627\u0644\u0640 pipeline \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0633\u064a\u0643\u0648\u0646 \u0645\u0633\u062a\u0647\u062f\u0641\u0627\u064b \u2014 \u0644\u0623\u0646\u0647 \u0633\u064a\u0643\u0648\u0646 \u0643\u0630\u0644\u0643.<\/p>\n \u0641\u064a \u0627\u0644\u0645\u0646\u0634\u0648\u0631 \u0627\u0644\u062a\u0627\u0644\u064a \u0641\u064a \u0647\u0630\u0647 \u0627\u0644\u0633\u0644\u0633\u0644\u0629\u060c \u0633\u0646\u0633\u062a\u0639\u0631\u0636 \u062a\u0646\u0641\u064a\u0630 \u0647\u0630\u0647 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0641\u064a GitHub Actions pipeline \u062d\u0642\u064a\u0642\u064a\u060c \u0645\u0639 \u0645\u062b\u0627\u0644 \u0639\u0645\u0644\u064a \u0643\u0627\u0645\u0644 \u064a\u0645\u0643\u0646\u0643 \u062a\u0643\u064a\u064a\u0641\u0647 \u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a\u0643 \u0627\u0644\u062e\u0627\u0635\u0629.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0645\u0642\u062f\u0645\u0629 \u0625\u0646 \u0641\u0647\u0645 \u0643\u064a\u0641\u064a\u0629 \u0645\u0647\u0627\u062c\u0645\u0629 CI\/CD pipelines \u0644\u064a\u0633 \u0633\u0648\u0649 \u0646\u0635\u0641 \u0627\u0644\u0635\u0648\u0631\u0629. \u064a\u0645\u0646\u062d\u0646\u0627 \u0646\u0645\u0630\u062c\u0629 \u0627\u0644\u062a\u0647\u062f\u064a\u062f\u0627\u062a \u0648\u062a\u0635\u0646\u064a\u0641 \u0627\u0644\u0647\u062c\u0645\u0627\u062a \u062e\u0631\u064a\u0637\u0629 \u0644\u0633\u0627\u062d\u0629 \u0627\u0644\u0645\u0639\u0631\u0643\u0629\u060c \u0644\u0643\u0646 \u0628\u062f\u0648\u0646 \u0623\u0646\u0645\u0627\u0637 \u062f\u0641\u0627\u0639\u064a\u0629 \u0645\u0644\u0645\u0648\u0633\u0629 \u0648\u062a\u062f\u0627\u0628\u064a\u0631 \u0647\u0646\u062f\u0633\u064a\u0629 \u0644\u0644\u062a\u062e\u0641\u064a\u0641\u060c \u062a\u0638\u0644 \u062a\u0644\u0643 \u0627\u0644\u0645\u0639\u0631\u0641\u0629 \u0646\u0638\u0631\u064a\u0629. \u064a\u0633\u062f\u0651 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0627\u0644\u0641\u062c\u0648\u0629 \u0628\u064a\u0646 \u0627\u0644\u0648\u0639\u064a \u0648\u0627\u0644\u0639\u0645\u0644. \u0627\u0644\u0647\u062f\u0641 \u0644\u064a\u0633 \u0628\u0646\u0627\u0621 \u062d\u0635\u0646 \u0645\u0646\u064a\u0639 \u2014 \u0641\u0647\u0630\u0627 \u063a\u064a\u0631 \u0645\u0648\u062c\u0648\u062f. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u0646\u0631\u0643\u0632 \u0639\u0644\u0649 \u062a\u0642\u0644\u064a\u0644 \u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645\u060c … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,31],"tags":[],"post_folder":[],"class_list":["post-795","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-threats-attacks"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=795"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/795\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=795"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0627\u0644\u0631\u0643\u0627\u0626\u0632 \u0627\u0644\u062b\u0644\u0627\u062b: \u0627\u0644\u0648\u0642\u0627\u064a\u0629\u060c \u0627\u0644\u0643\u0634\u0641\u060c \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629<\/h3>\n
\n
\u0627\u0644\u062f\u0641\u0627\u0639 \u0641\u064a \u0643\u0644 \u0637\u0628\u0642\u0629<\/h3>\n
\n
\u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u2014 \u062d\u0645\u0627\u064a\u0629 \u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u0640 Pipeline<\/h2>\n
\u0642\u0648\u0627\u0639\u062f \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0641\u0631\u0648\u0639<\/h3>\n
\n
CODEOWNERS \u0644\u0644\u0645\u0633\u0627\u0631\u0627\u062a \u0627\u0644\u062d\u0633\u0627\u0633\u0629<\/h3>\n
# .github\/CODEOWNERS\n\n# Pipeline definitions require security team review\n.github\/workflows\/ @org\/security-team\n.gitlab-ci.yml @org\/security-team\nJenkinsfile @org\/security-team\n\n# Infrastructure as code\nterraform\/ @org\/platform-team @org\/security-team\npulumi\/ @org\/platform-team @org\/security-team\n\n# Container definitions\nDockerfile* @org\/security-team\ndocker-compose*.yml @org\/security-team\n\n# Dependency manifests\npackage.json @org\/security-team\nrequirements.txt @org\/security-team\ngo.sum @org\/security-team<\/code><\/pre>\n\u0627\u0644\u0627\u0644\u062a\u0632\u0627\u0645\u0627\u062a \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629 \u0648\u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\n
# Configure Git to sign commits with SSH key\ngit config --global gpg.format ssh\ngit config --global user.signingkey ~\/.ssh\/id_ed25519.pub\ngit config --global commit.gpgsign true\n\n# Verify a commit signature\ngit verify-commit HEAD<\/code><\/pre>\n\u0633\u064a\u0627\u0633\u0627\u062a \u0645\u0631\u0627\u062c\u0639\u0629 PR<\/h3>\n
\n
\u062a\u0642\u064a\u064a\u062f \u0645\u062d\u0641\u0632\u0627\u062a \u0627\u0644\u0640 Pipeline<\/h3>\n
\n
\u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u2014 \u062a\u0623\u0645\u064a\u0646 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621<\/h2>\n
\u0627\u0644\u0645\u0634\u063a\u0651\u0644\u0627\u062a \u0627\u0644\u0645\u0624\u0642\u062a\u0629 (Ephemeral Runners)<\/h3>\n
# GitHub Actions: Self-hosted ephemeral runner with actions-runner-controller\napiVersion: actions.summerwind.dev\/v1alpha1\nkind: RunnerDeployment\nmetadata:\n name: ephemeral-runners\nspec:\n replicas: 5\n template:\n spec:\n ephemeral: true\n repository: your-org\/your-repo\n labels:\n - self-hosted\n - ephemeral\n - linux\n dockerdWithinRunnerContainer: false\n image: ghcr.io\/actions\/actions-runner:latest\n resources:\n limits:\n cpu: \"2\"\n memory: \"4Gi\"<\/code><\/pre>\n\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u0639\u0632\u0648\u0644\u0629<\/h3>\n
\n
\u0642\u064a\u0648\u062f \u0627\u0644\u0634\u0628\u0643\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
\n
# Kubernetes NetworkPolicy for CI runner pods\napiVersion: networking.k8s.io\/v1\nkind: NetworkPolicy\nmetadata:\n name: ci-runner-egress-restricted\n namespace: ci-runners\nspec:\n podSelector:\n matchLabels:\n role: ci-runner\n policyTypes:\n - Egress\n egress:\n - to:\n - ipBlock:\n cidr: 10.0.0.0\/8 # Internal network only\n ports:\n - protocol: TCP\n port: 443 # HTTPS to internal registries\n - protocol: TCP\n port: 53 # DNS\n - protocol: UDP\n port: 53 # DNS<\/code><\/pre>\n\u0635\u0648\u0631 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u0635\u063a\u0651\u0631\u0629<\/h3>\n
\n
# Pin by digest, not by tag\nFROM golang:1.22@sha256:a3b21c5d8e... AS builder\nWORKDIR \/app\nCOPY . .\nRUN CGO_ENABLED=0 go build -o \/app\/binary\n\n# Use distroless for the final image\nFROM gcr.io\/distroless\/static-debian12@sha256:f4e8b1c2d9...\nCOPY --from=builder \/app\/binary \/binary\nENTRYPOINT [\"\/binary\"]<\/code><\/pre>\n\u062a\u0639\u0637\u064a\u0644 \u0623\u0648\u0636\u0627\u0639 \u0627\u0644\u062a\u0635\u062d\u064a\u062d \u0641\u064a pipelines \u0627\u0644\u0625\u0646\u062a\u0627\u062c<\/h3>\n
ACTIONS_STEP_DEBUG<\/code> \u0648 CI_DEBUG_TRACE<\/code> \u0648\u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0627\u0644\u0645\u0643\u0627\u0641\u0626\u0629 \u0641\u064a \u0625\u0639\u062f\u0627\u062f\u0627\u062a pipeline \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n\u062f\u0641\u0627\u0639\u0627\u062a \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0648\u0627\u0644\u0647\u0648\u064a\u0629 \u2014 \u062a\u0642\u064a\u064a\u062f \u0645\u0627 \u064a\u0645\u0643\u0646 \u0644\u0644\u0640 Pipelines \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u064a\u0647<\/h2>\n
\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0631\u0645\u0648\u0632 \u0627\u0644\u062f\u0646\u064a\u0627<\/h3>\n
GITHUB_TOKEN<\/code> \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a \u0641\u064a GitHub Actions \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0648\u0627\u0633\u0639\u0629. \u0642\u064a\u0651\u062f\u0647 \u062f\u0627\u0626\u0645\u0627\u064b \u0625\u0644\u0649 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0627\u0644\u0645\u0637\u0644\u0648\u0628:<\/p>\n# GitHub Actions: Restrict default token permissions\npermissions:\n contents: read\n packages: read\n id-token: write # Only if using OIDC\n\njobs:\n build:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n steps:\n - uses: actions\/checkout@v4\n - run: make build\n\n deploy:\n runs-on: ubuntu-latest\n needs: build\n permissions:\n contents: read\n id-token: write # For OIDC authentication\n steps:\n - name: Authenticate to cloud\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/deploy-role\n aws-region: us-east-1<\/code><\/pre>\nOIDC \u0648\u0647\u0648\u064a\u0629 \u0623\u0639\u0628\u0627\u0621 \u0627\u0644\u0639\u0645\u0644<\/h3>\n
\n
aws-actions\/configure-aws-credentials<\/code> \u0645\u0639 OIDC role assumption.<\/li>\ngoogle-github-actions\/auth<\/code> \u0645\u0639 Workload Identity Federation.<\/li>\nazure\/login<\/code> \u0645\u0639 federated credentials.<\/li>\nCI_JOB_JWT_V2<\/code>) \u0645\u0639 federation \u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629.<\/li>\n<\/ul>\n\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0644\u0643\u0644 \u0628\u064a\u0626\u0629 \u0648\u0644\u0643\u0644 \u0645\u0631\u062d\u0644\u0629<\/h3>\n
\n
\u0644\u0627 \u0623\u0633\u0631\u0627\u0631 \u0641\u064a workflows \u0627\u0644\u0640 PR\/Fork<\/h3>\n
pull_request<\/code> (\u0648\u0644\u064a\u0633 pull_request_target<\/code>) \u0644\u0644\u0643\u0648\u062f \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u060c \u0648\u0644\u0627 \u062a\u0645\u0631\u0631 \u0623\u0628\u062f\u0627\u064b \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0625\u0644\u0649 \u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0646\u0641\u0630 \u0643\u0648\u062f PR.<\/p>\n\u062a\u0643\u0627\u0645\u0644 Vault \u0645\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629<\/h3>\n
# HashiCorp Vault: Generate short-lived database credentials\nvault read database\/creds\/ci-readonly\n# Returns:\n# Key Value\n# --- -----\n# lease_id database\/creds\/ci-readonly\/abc123\n# lease_duration 1h\n# username v-ci-readonly-xyz789\n# password A1B2-C3D4-E5F6-G7H8<\/code><\/pre>\n\u062a\u0633\u062c\u064a\u0644 \u062a\u062f\u0642\u064a\u0642 \u062c\u0645\u064a\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h3>\n
\u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u2014 \u0636\u0645\u0627\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a<\/h2>\n
\u062a\u0648\u0642\u064a\u0639 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Sigstore\/Cosign<\/h3>\n
# Sign a container image using Cosign (keyless, OIDC-based)\ncosign sign --yes ghcr.io\/your-org\/your-app:v1.2.3@sha256:abc123...\n\n# Verify the signature\ncosign verify \\\n --certificate-identity=https:\/\/github.com\/your-org\/your-app\/.github\/workflows\/build.yml@refs\/heads\/main \\\n --certificate-oidc-issuer=https:\/\/token.actions.githubusercontent.com \\\n ghcr.io\/your-org\/your-app:v1.2.3@sha256:abc123...<\/code><\/pre>\n\u0625\u0646\u0634\u0627\u0621 \u0648\u062a\u062e\u0632\u064a\u0646 SLSA Provenance<\/h3>\n
# GitHub Actions: Generate SLSA provenance for container images\n- uses: slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_container_slsa3.yml@v2.0.0\n with:\n image: ghcr.io\/your-org\/your-app\n digest: ${{ steps.build.outputs.digest }}\n secrets:\n registry-username: ${{ github.actor }}\n registry-password: ${{ secrets.GITHUB_TOKEN }}<\/code><\/pre>\n\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631<\/h3>\n
\n
\u0625\u0646\u0634\u0627\u0621 SBOM \u0648\u0627\u0644\u062a\u0635\u062f\u064a\u0642<\/h3>\n
# Generate SBOM with Syft and attest with Cosign\nsyft ghcr.io\/your-org\/your-app:v1.2.3 -o spdx-json > sbom.spdx.json\ncosign attest --predicate sbom.spdx.json --type spdxjson \\\n ghcr.io\/your-org\/your-app:v1.2.3@sha256:abc123...<\/code><\/pre>\n\u0648\u062d\u062f\u0627\u062a \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0642\u0628\u0648\u0644 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639<\/h3>\n
# Kyverno: Require signed images\napiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n name: require-signed-images\nspec:\n validationFailureAction: Enforce\n background: false\n rules:\n - name: verify-cosign-signature\n match:\n any:\n - resources:\n kinds:\n - Pod\n verifyImages:\n - imageReferences:\n - \"ghcr.io\/your-org\/*\"\n attestors:\n - entries:\n - keyless:\n issuer: \"https:\/\/token.actions.githubusercontent.com\"\n subject: \"https:\/\/github.com\/your-org\/*\"<\/code><\/pre>\n\u062f\u0641\u0627\u0639\u0627\u062a \u0637\u0628\u0642\u0629 \u0627\u0644\u0646\u0634\u0631 \u2014 \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a\u0645\u0627 \u064a\u0635\u0644 \u0625\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0627\u062c<\/h2>\n
\u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a \u0627\u0644\u064a\u062f\u0648\u064a\u0629 \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629<\/h3>\n
# GitHub Actions: Environment with required reviewers\njobs:\n deploy-production:\n runs-on: ubuntu-latest\n environment:\n name: production\n url: https:\/\/your-app.example.com\n steps:\n - name: Deploy to production\n run: .\/deploy.sh production<\/code><\/pre>\nGitOps \u0645\u0639 \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0633\u062d\u0628<\/h3>\n
\n
# Flux: GitRepository and Kustomization for pull-based deployment\napiVersion: source.toolkit.fluxcd.io\/v1\nkind: GitRepository\nmetadata:\n name: app-manifests\n namespace: flux-system\nspec:\n interval: 1m\n url: https:\/\/github.com\/your-org\/app-manifests\n ref:\n branch: main\n secretRef:\n name: git-credentials\n---\napiVersion: kustomize.toolkit.fluxcd.io\/v1\nkind: Kustomization\nmetadata:\n name: app-production\n namespace: flux-system\nspec:\n interval: 5m\n path: .\/environments\/production\n prune: true\n sourceRef:\n kind: GitRepository\n name: app-manifests\n healthChecks:\n - apiVersion: apps\/v1\n kind: Deployment\n name: your-app\n namespace: production<\/code><\/pre>\n\u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u062a\u062f\u0631\u064a\u062c\u064a \u0648\u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u0627\u0644\u0622\u0644\u064a<\/h3>\n
\n
\u062a\u062c\u0645\u064a\u062f \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631<\/h3>\n
\u0627\u0644\u0643\u0634\u0641 \u0648\u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u2014 \u0645\u0639\u0631\u0641\u0629 \u0645\u062a\u0649 \u064a\u0643\u0648\u0646 \u0647\u0646\u0627\u0643 \u062e\u0637\u0623<\/h2>\n
\u0643\u0634\u0641 \u0634\u0630\u0648\u0630 \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0640 Pipeline<\/h3>\n
\n
\u062a\u0646\u0628\u064a\u0647 \u0641\u0631\u0642 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a<\/h3>\n
\n
\u0641\u062d\u0635 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h3>\n
\n
gitleaks<\/code> \u0623\u0648 trufflehog<\/code> \u062a\u0644\u062a\u0642\u0637 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0642\u0628\u0644 \u062f\u062e\u0648\u0644\u0647\u0627 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639.<\/li>\n# Pre-commit hook with gitleaks\n# .pre-commit-config.yaml\nrepos:\n - repo: https:\/\/github.com\/gitleaks\/gitleaks\n rev: v8.18.0\n hooks:\n - id: gitleaks<\/code><\/pre>\n\u0645\u0631\u0627\u0642\u0628\u0629 \u0627\u0646\u062d\u0631\u0627\u0641 \u0627\u0644\u0625\u0639\u062f\u0627\u062f\u0627\u062a<\/h3>\n
\n
\u062a\u0643\u0627\u0645\u0644 SIEM \u0645\u0639 \u0633\u062c\u0644\u0627\u062a \u062a\u062f\u0642\u064a\u0642 CI\/CD<\/h3>\n
\n
\u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0644\u0644\u062d\u0648\u0627\u062f\u062b \u0641\u064a CI\/CD \u2014 \u0639\u0646\u062f\u0645\u0627 \u062a\u0641\u0634\u0644 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a<\/h2>\n
\u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0627\u0644\u0641\u0648\u0631\u064a\u0629: \u0627\u062d\u062a\u0648\u0627\u0621 \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642<\/h3>\n
\n
\u062a\u062d\u0644\u064a\u0644 \u0646\u0637\u0627\u0642 \u0627\u0644\u0636\u0631\u0631<\/h3>\n
\n
\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a<\/h3>\n
\n
\u0627\u0644\u062a\u062d\u0642\u064a\u0642 \u0627\u0644\u062c\u0646\u0627\u0626\u064a<\/h3>\n
\n
\u0627\u0644\u062a\u0639\u0627\u0641\u064a \u0628\u0639\u062f \u0627\u0644\u062d\u0627\u062f\u062b<\/h3>\n
\n
\u0646\u0645\u0648\u0630\u062c \u062f\u0644\u064a\u0644 \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0644\u062d\u0648\u0627\u062f\u062b CI\/CD<\/h3>\n
## CI\/CD Security Incident Playbook\n\n### Phase 1: Detection & Triage (0-15 minutes)\n- [ ] Confirm the alert is a true positive\n- [ ] Classify severity (P1: active compromise, P2: suspected compromise, P3: policy violation)\n- [ ] Notify the incident commander and security team\n\n### Phase 2: Containment (15-60 minutes)\n- [ ] Revoke compromised credentials\n- [ ] Disable affected pipelines\n- [ ] Isolate affected runners\n- [ ] Block attacker's access (revoke tokens, disable accounts)\n\n### Phase 3: Investigation (1-24 hours)\n- [ ] Collect runner logs, audit logs, git history\n- [ ] Determine blast radius (credentials, artifacts, deployments)\n- [ ] Identify attack vector (how did the attacker get in?)\n- [ ] Check artifact integrity for the compromised period\n\n### Phase 4: Recovery (24-72 hours)\n- [ ] Rotate all potentially compromised secrets\n- [ ] Rebuild and republish affected artifacts from known-good source\n- [ ] Redeploy affected environments from verified artifacts\n- [ ] Restore pipeline operations with tightened controls\n\n### Phase 5: Post-Incident (1-2 weeks)\n- [ ] Conduct blameless post-mortem\n- [ ] Document lessons learned and update this playbook\n- [ ] Implement systemic improvements to prevent recurrence\n- [ ] Update detection rules based on IOCs discovered<\/code><\/pre>\n\u0627\u0644\u062e\u0627\u062a\u0645\u0629<\/h2>\n
\n