Said OULMAKHZOUNE - Secure Pipelines

Dependency Confusion and Artifact Poisoning: Attack Techniques and Defenses

March 23, 2026February 7, 2026 by Said OULMAKHZOUNE

Introduction Software supply chain attacks have surged in both frequency and sophistication over the past several years. Rather than attacking applications directly, adversaries increasingly target the dependency resolution and artifact distribution layers that underpin modern software development. Two of the most effective techniques in this category are dependency confusion and artifact poisoning. These attacks exploit … Read more

Policy as Code for CI/CD: Enforcing Security Gates with OPA and Rego

March 23, 2026February 5, 2026 by Said OULMAKHZOUNE

Introduction: Why Manual Security Reviews Don’t Scale Every engineering team eventually hits the same wall: security reviews that depend on human eyeballs cannot keep pace with the velocity of modern CI/CD pipelines. When teams deploy dozens or hundreds of times per day, asking a security engineer to manually review every Terraform plan, Kubernetes manifest, or … Read more

Secrets Management in CI/CD Pipelines: Patterns, Anti-Patterns, and Vault Integration

March 23, 2026February 5, 2026 by Said OULMAKHZOUNE

Introduction: Why Secrets Are the #1 Cause of CI/CD Compromise If you examine the root cause of almost every major CI/CD breach in recent years — from the Codecov supply chain attack to the CircleCI security incident — you will find the same culprit: compromised secrets. API keys, cloud credentials, database passwords, signing certificates — … Read more

Lab: Detecting Malicious GitHub Actions with Static Analysis

March 25, 2026February 3, 2026 by Said OULMAKHZOUNE

Overview Third-party GitHub Actions are one of the most convenient features of the GitHub ecosystem. With a single uses: directive, you can pull in complex build logic, deploy to cloud providers, or run security scanners. But that convenience comes with a critical trade-off: every third-party action executes code in your CI environment with access to … Read more

Signing and Verifying Container Images with Sigstore and Cosign

March 23, 2026February 3, 2026 by Said OULMAKHZOUNE

Introduction: Why Artifact Signing Matters in CI/CD Modern software delivery pipelines are remarkably good at building and shipping code fast. But speed without trust is a liability. Between the moment source code is committed and the moment a container image runs in production, there is a gap — a gap where tampering, substitution, or silent … Read more

IAST and RASP for Java Applications

March 25, 2026February 2, 2026 by Said OULMAKHZOUNE

Introduction Static and dynamic testing techniques such as SAST and DAST provide valuable security insights, but they do not fully capture how Java applications behave at runtime. Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) address this gap by operating within the running application itself. For enterprise Java applications, especially in enterprise environments, … Read more

Build Integrity and Reproducible Builds: A Practical Guide for CI/CD

March 23, 2026February 1, 2026 by Said OULMAKHZOUNE

Introduction If you can’t reproduce a build, you can’t verify it. This simple truth sits at the heart of software supply chain security. Build integrity ensures that what you deploy is exactly what you intended to build — nothing added, nothing modified, nothing tampered with between source code and production artifact. In recent years, supply … Read more

Secure Deployment Workflows: From CI/CD Pipeline to Production

March 24, 2026January 31, 2026 by Said OULMAKHZOUNE

Your CI/CD pipeline can have airtight security controls—signed commits, pinned dependencies, SAST scans, container image signing—but none of it matters if the deployment process itself is weak. Deployment is the critical junction where pipeline security meets production security. A compromised deployment workflow can bypass every upstream control you have built, pushing malicious code straight into … Read more

CI/CD Execution Models and Trust Assumptions: A Security Guide

March 23, 2026January 30, 2026 by Said OULMAKHZOUNE

Introduction CI/CD pipelines are among the most privileged components in any modern software organization. They clone source code, access secrets, build artifacts, and deploy to production — often with minimal human oversight. Yet despite this extraordinary level of access, the trust models underpinning these pipelines are rarely made explicit. When a pipeline runs, it implicitly … Read more

Why “Shift Left” Fails Without CI/CD Pipeline Security

January 26, 2026 by Said OULMAKHZOUNE

“Shift left” has become one of the most widely adopted principles in DevSecOps. The idea is simple and appealing: move security earlier in the software development lifecycle to detect issues sooner, reduce costs, and improve overall security outcomes. Over time, “shift left” has evolved from a useful concept into a near-unquestioned dogma. Security scanning, testing, … Read more