Overview If you build the same Dockerfile twice and get different images, you cannot verify build integrity. A non-reproducible build means you have no way to confirm that the artifact running in production was actually produced from the source code you audited. Attackers can exploit this ambiguity to inject malicious code during the build process … Read more
Overview Container image tags are mutable pointers. Unlike a Git commit hash, the tag v1.0.0 is not cryptographically bound to a specific image — it is simply a label that a registry maps to a manifest digest. Anyone with push access to a repository can overwrite that mapping at any time, silently replacing the image … Read more
Overview Tekton is a powerful, Kubernetes-native open-source framework for creating continuous integration and continuous delivery (CI/CD) systems. It runs as a set of Custom Resource Definitions (CRDs) on any Kubernetes cluster, letting you define pipelines as declarative YAML that are portable across environments. Tekton Chains is a companion project that adds automatic supply chain security … Read more
Overview Misconfigured Kubernetes manifests are one of the top causes of production security incidents. A container running as root, an unpinned image tag, a missing resource limit, or an exposed host network can each open the door to privilege escalation, resource exhaustion, or lateral movement inside your cluster. The problem is that these misconfigurations are … Read more
Overview Secret leaks in CI/CD pipelines are the number one cause of pipeline compromise. Exposed credentials — API keys, database passwords, cloud access tokens — give attackers a direct path into production systems. According to GitGuardian’s 2025 State of Secrets Sprawl report, over 12 million new secrets were detected in public GitHub commits in a … Read more
Overview GitHub Actions has become the most widely adopted CI/CD platform for open-source and commercial software alike. That popularity makes it the number-one attack surface in the CI/CD landscape. Misconfigured workflows routinely leak secrets, grant excessive permissions, and pull in third-party code that can be silently tampered with. In this hands-on lab you will harden … Read more
Overview SLSA (Supply-chain Levels for Software Artifacts) provenance is a verifiable record that describes how an artifact was built: the source repository, the build platform, the entry point, and the input materials. When attached to a container image, provenance lets consumers answer a critical question before deploying: “Was this image actually built from the source … Read more
Overview Every container image your CI/CD pipeline produces should be cryptographically signed before it reaches any environment. Unsigned images are a blind spot — you have no proof they came from your pipeline, no guarantee they weren’t tampered with in transit, and no policy hook to block rogue deployments. In this hands-on lab you will: … Read more
Overview Poisoned Pipeline Execution (PPE) ranks as the #2 risk in the OWASP CI/CD Security Top 10. It is a class of attacks where a malicious actor manipulates the build process by injecting code into pipeline definitions or build scripts, typically through a pull request. Once the CI system picks up the change, the attacker’s … Read more
