Said OULMAKHZOUNE Overview SLSA (Supply-chain Levels for Software Artifacts) provenance is a verifiable record that describes how an artifact was built: the source repository, the build platform, the entry point, and the input materials. When attached to a container image, provenance lets consumers answer a critical question before deploying: “Was this image actually built from the source … Read more
Overview Every container image your CI/CD pipeline produces should be cryptographically signed before it reaches any environment. Unsigned images are a blind spot — you have no proof they came from your pipeline, no guarantee they weren’t tampered with in transit, and no policy hook to block rogue deployments. In this hands-on lab you will: … Read more
Overview GitLab CI is the second most widely used CI/CD platform in the industry, powering millions of pipelines across organizations of every size. Its tight integration with source control makes it exceptionally convenient — but that same integration creates a broad attack surface if pipelines are not deliberately hardened. In this hands-on lab you will … Read more
Selecting a Dynamic Application Security Testing (DAST) tool in regulated enterprise environments is rarely a matter of choosing the solution with the most features or the highest vulnerability detection rate. In practice, DAST tooling decisions are driven by governance, CI/CD enforceability, operational reliability, and audit readiness. This article presents a realistic comparison of enterprise DAST … Read more
Introduction Most CI/CD pipelines start with a simple goal: get code from a developer’s machine into production as fast as possible. Along the way, someone creates a service account, grants it broad permissions, stores the credentials as a pipeline secret, and moves on. It works. Builds pass, deployments succeed, and nobody thinks about it again … Read more
CI/CD pipelines are among the most privileged workloads in any organization. They pull source code, download dependencies, access secrets, and push artifacts to production registries. Yet in many environments, the build processes behind these pipelines run with unrestricted network access and full filesystem permissions — a combination that represents one of the most exploitable gaps … Read more
Overview Dependency confusion is a supply chain attack that exploits how package managers resolve package names when both private (internal) and public registries are configured. When an attacker publishes a malicious package to a public registry using the same name as an internal private package — but with a higher version number — the package … Read more
Introduction: What Is SLSA and Why Should You Care? Supply-chain Levels for Software Artifacts — SLSA (pronounced “salsa”) — is a security framework created by Google and now maintained by the Open Source Security Foundation (OpenSSF). Its goal is deceptively simple: make it harder for attackers to tamper with the software you build and ship. … Read more
CI/CD pipelines have become the backbone of modern software delivery. But with that power comes significant risk. The OWASP Top 10 CI/CD Security Risks project catalogues the most critical attack vectors targeting continuous integration and continuous delivery systems. In this guide, we break down each risk with real-world examples, impact assessments, and actionable mitigations you … Read more
Introduction If you audit the secret stores of most CI/CD platforms today, you will find a graveyard of long-lived credentials: AWS access keys created years ago, GCP service account JSON keys shared across dozens of pipelines, GitHub Personal Access Tokens with broad scopes, and database passwords that have never been rotated. These static secrets are … Read more
