Overview GitLab CI is the second most widely used CI/CD platform in the industry, powering millions of pipelines across organizations of every size. Its tight integration with source control makes it exceptionally convenient — but that same integration creates a broad attack surface if pipelines are not deliberately hardened. In this hands-on lab you will … Read more
Selecting a Dynamic Application Security Testing (DAST) tool in regulated enterprise environments is rarely a matter of choosing the solution with the most features or the highest vulnerability detection rate. In practice, DAST tooling decisions are driven by governance, CI/CD enforceability, operational reliability, and audit readiness. This article presents a realistic comparison of enterprise DAST … Read more
Introduction Most CI/CD pipelines start with a simple goal: get code from a developer’s machine into production as fast as possible. Along the way, someone creates a service account, grants it broad permissions, stores the credentials as a pipeline secret, and moves on. It works. Builds pass, deployments succeed, and nobody thinks about it again … Read more
CI/CD pipelines are among the most privileged workloads in any organization. They pull source code, download dependencies, access secrets, and push artifacts to production registries. Yet in many environments, the build processes behind these pipelines run with unrestricted network access and full filesystem permissions — a combination that represents one of the most exploitable gaps … Read more
Overview Dependency confusion is a supply chain attack that exploits how package managers resolve package names when both private (internal) and public registries are configured. When an attacker publishes a malicious package to a public registry using the same name as an internal private package — but with a higher version number — the package … Read more
Introduction: What Is SLSA and Why Should You Care? Supply-chain Levels for Software Artifacts — SLSA (pronounced “salsa”) — is a security framework created by Google and now maintained by the Open Source Security Foundation (OpenSSF). Its goal is deceptively simple: make it harder for attackers to tamper with the software you build and ship. … Read more
CI/CD pipelines have become the backbone of modern software delivery. But with that power comes significant risk. The OWASP Top 10 CI/CD Security Risks project catalogues the most critical attack vectors targeting continuous integration and continuous delivery systems. In this guide, we break down each risk with real-world examples, impact assessments, and actionable mitigations you … Read more
Introduction If you audit the secret stores of most CI/CD platforms today, you will find a graveyard of long-lived credentials: AWS access keys created years ago, GCP service account JSON keys shared across dozens of pipelines, GitHub Personal Access Tokens with broad scopes, and database passwords that have never been rotated. These static secrets are … Read more
Overview If your GitHub Actions workflows authenticate to AWS using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY stored as repository secrets, you have a serious security problem. Those long-lived credentials never expire on their own, can be exfiltrated by any workflow step (including third-party actions), and give attackers persistent access to your AWS account if compromised. OpenID Connect (OIDC) … Read more
What to change concretely in real CI/CD environments 🔐 Access & Identity Hardening If failing SSO/MFA controls: 🧱 Runner Isolation If using shared runners in regulated pipelines: 🚫 Policy Gates Not Blocking If SAST/SCA/DAST results are advisory only: 📦 Artifact Integrity If artifact signing missing: Evidence Centralization If logs only exist in vendor UI: 🔁 … Read more
