Said OULMAKHZOUNE Overview Tekton is a powerful, Kubernetes-native open-source framework for creating continuous integration and continuous delivery (CI/CD) systems. It runs as a set of Custom Resource Definitions (CRDs) on any Kubernetes cluster, letting you define pipelines as declarative YAML that are portable across environments. Tekton Chains is a companion project that adds automatic supply chain security … Read more
Introduction: Why Policy Engines Matter for CI/CD Modern CI/CD pipelines move fast. Teams push dozens — sometimes hundreds — of deployments per day, and every one of those deployments carries configuration decisions that affect security, compliance, and operational stability. A single misconfigured Kubernetes manifest, an overly permissive IAM role in Terraform, or a container image … Read more
Introduction Managing secrets securely at scale is a major challenge for enterprise CI/CD pipelines. As organizations adopt DevSecOps practices and increase automation, the number of credentials, tokens, and certificates handled by CI/CD systems grows significantly. HashiCorp Vault is a widely adopted secrets management solution designed to address these challenges. This article explores how Vault can … Read more
Why SBOMs Matter: The Regulatory and Security Imperative A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of every component, library, and dependency that makes up a piece of software. Think of it as the nutritional label for your application — except instead of calories and sodium, you’re listing packages, versions, licenses, and … Read more
Why Container Image Signing Matters Every time you pull a container image and deploy it into production, you’re placing implicit trust in that artifact. But how do you verify that the image hasn’t been tampered with? How do you confirm it was actually built by your CI/CD pipeline and not injected by an attacker who … Read more
Introduction Code signing has long been a cornerstone of software security. When you verify a signature, you know who signed an artifact. But knowing who signed something does not tell you how it was built, where it was built, or what source code went into it. A maintainer could sign a binary that was compiled … Read more
Overview Misconfigured Kubernetes manifests are one of the top causes of production security incidents. A container running as root, an unpinned image tag, a missing resource limit, or an exposed host network can each open the door to privilege escalation, resource exhaustion, or lateral movement inside your cluster. The problem is that these misconfigurations are … Read more
How to use this matrix ⚠️ In enterprise environments, the highest-scoring tool is rarely the one with the most findings. 1. CI/CD Integration & Automation (Weight: 25%) Criterion Description Score (0–5) Notes Native CI/CD integration Native support for GitHub Actions, GitLab CI, Jenkins, etc. Pipeline-as-code support DAST fully automatable via code Deterministic exit codes Reliable … Read more
Overview Secret leaks in CI/CD pipelines are the number one cause of pipeline compromise. Exposed credentials — API keys, database passwords, cloud access tokens — give attackers a direct path into production systems. According to GitGuardian’s 2025 State of Secrets Sprawl report, over 12 million new secrets were detected in public GitHub commits in a … Read more
Overview GitHub Actions has become the most widely adopted CI/CD platform for open-source and commercial software alike. That popularity makes it the number-one attack surface in the CI/CD landscape. Misconfigured workflows routinely leak secrets, grant excessive permissions, and pull in third-party code that can be silently tampered with. In this hands-on lab you will harden … Read more
