Said OULMAKHZOUNE Overview If your GitHub Actions workflows authenticate to AWS using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY stored as repository secrets, you have a serious security problem. Those long-lived credentials never expire on their own, can be exfiltrated by any workflow step (including third-party actions), and give attackers persistent access to your AWS account if compromised. OpenID Connect (OIDC) … Read more
What to change concretely in real CI/CD environments 🔐 Access & Identity Hardening If failing SSO/MFA controls: 🧱 Runner Isolation If using shared runners in regulated pipelines: 🚫 Policy Gates Not Blocking If SAST/SCA/DAST results are advisory only: 📦 Artifact Integrity If artifact signing missing: Evidence Centralization If logs only exist in vendor UI: 🔁 … Read more
Introduction Securing your CI/CD pipeline is no longer optional — it is a foundational requirement for any modern software organization. As supply chain attacks grow in frequency and sophistication, the tools you embed into your build and deployment pipelines directly determine your security posture. But with a growing ecosystem of scanners, choosing the right one … Read more
Dynamic Application Security Testing (DAST) is a critical control in enterprise CI/CD pipelines, particularly in enterprise environments. However, without a disciplined approach to false positives, DAST can quickly become a source of noise, friction, and audit risk rather than a reliable security signal. This article explains how to manage false positives in enterprise DAST pipelines … Read more
Overview GitHub-hosted runners are shared and ephemeral by default — every job gets a fresh virtual machine that is destroyed after the job completes. Self-hosted runners, on the other hand, are persistent and shared across workflow runs. This creates a significant security risk: secrets, tokens, and build artifacts from one job can leak into the … Read more
Overview Software Bills of Materials (SBOMs) are rapidly becoming a mandatory component of software supply chain transparency. Executive orders, regulatory frameworks like NIST SSDF, and industry standards now require organizations to produce, distribute, and verify SBOMs for every software release. An SBOM lists every component, library, and dependency inside your software — giving consumers the … Read more
Overview Poisoned Pipeline Execution (PPE) ranks as the #2 risk in the OWASP CI/CD Security Top 10. It is a class of attacks where a malicious actor manipulates the build process by injecting code into pipeline definitions or build scripts, typically through a pull request. Once the CI system picks up the change, the attacker’s … Read more
Dynamic Application Security Testing (DAST) plays a critical role in securing modern enterprise applications by identifying vulnerabilities that only manifest at runtime. Unlike static analysis, DAST evaluates running applications, simulating real-world attack scenarios against web interfaces, APIs, and services. In enterprise and production environments, DAST is not merely a vulnerability scanning activity. It is a … Read more
Introduction Understanding how CI/CD pipelines are attacked is only half the picture. Threat modeling and attack taxonomy give us a map of the battlefield, but without concrete defensive patterns and engineering mitigations, that knowledge remains theoretical. This guide bridges the gap between awareness and action. The goal is not to build an impenetrable fortress — … Read more
Selecting Dynamic Application Security Testing for Enterprise Environments Dynamic Application Security Testing (DAST) plays a critical role in securing enterprise applications by identifying vulnerabilities in running systems. Unlike SAST, which analyzes source code, DAST evaluates applications from the outside, simulating real-world attacks against deployed environments. In enterprise contexts, selecting a DAST tool is not just … Read more
