Guides

Guides on Secure Pipelines are structured, in-depth resources designed to explain how to design, secure, and operate CI/CD and software delivery pipelines.

Unlike individual articles, guides focus on core concepts, architectures, and long-term practices that remain relevant across tools and platforms.

Secure CI/CD architecture

These guides explore how CI/CD pipelines are designed, where trust boundaries exist, and how security controls can be integrated without breaking delivery workflows.

  • CI/CD execution models and trust assumptions
  • Pipeline stages and security responsibilities
  • Secure runner architectures and isolation strategies
  • Separation of duties and least privilege in pipelines

Software supply chain security

Software supply chain security focuses on protecting the integrity of what is built, how it is built, and how it is delivered.

  • Dependency risks and transitive trust
  • Build integrity and reproducible builds
  • Artifact provenance and attestations
  • SLSA levels and practical implementation

Build integrity and artifact trust

These guides cover techniques and patterns for ensuring that build outputs are authentic, traceable, and protected against tampering.

  • Artifact signing and verification
  • Using Sigstore and Cosign
  • Attestation formats and metadata
  • Verifying artifacts at deployment time

Secrets management in pipelines

Secrets are one of the most common sources of CI/CD compromise.

These guides focus on managing secrets safely across pipeline stages and environments.

  • Secrets exposure risks in CI/CD
  • Secrets injection patterns
  • Short-lived credentials and identity-based access
  • Integrating external secret managers

Policy enforcement and controls

Security controls in pipelines must be enforceable, auditable, and predictable.

  • Policy as Code concepts
  • Using OPA for pipeline controls
  • Validating configurations and workflows
  • Failing pipelines safely and explicitly

Threats, attacks, and defenses

Understanding how CI/CD pipelines are attacked is essential to securing them.

  • Common CI/CD attack paths
  • Compromised runners and build agents
  • Dependency confusion and artifact poisoning
  • Defensive patterns and mitigations

Using the guides

Guides are designed to be read sequentially or used as reference material.

Each guide:

  • Explains the underlying concepts
  • Shows practical design and implementation options
  • Discusses trade-offs and limitations
  • Links to relevant labs and articles

As new threats, tools, and practices emerge, guides are updated to remain accurate and useful over time.

Related ecosystem

For compliance, governance, and regulatory guidance related to CI/CD and DevSecOps, see regulated-devsecops.com.

Together, the two sites provide both the engineering and governance perspectives required to secure modern software delivery pipelines.