Labs

Labs on Secure Pipelines are hands-on exercises designed to explore real-world CI/CD and software supply chain security scenarios.

They focus on understanding how pipelines are attacked, where trust breaks, and how effective security controls can be implemented.

---

What to expect from the labs

Labs are practical by design and built around real CI/CD platforms and tooling.

• Step-by-step exercises
• Real CI/CD configurations and workflows
• YAML examples and commands
• Clear expected outcomes
• Failure scenarios and misconfigurations

Each lab is designed to demonstrate not only how to secure a pipeline, but also how and why security controls can fail.

---

CI/CD platform labs

These labs focus on securing specific CI/CD platforms and execution environments.

• GitHub Actions Labs
  • Hardening GitHub Actions Workflows — Permissions, Pinning, and Secrets
  • Configuring OIDC Workload Identity for GitHub Actions with AWS
  • Detecting Malicious GitHub Actions with Static Analysis
  • Running Ephemeral Self-Hosted Runners with Actions Runner Controller
• GitLab CI Labs
  • Securing GitLab CI Pipelines — Protected Variables, Runners, and Environments
• Tekton Labs
  • Implementing a Secure Build Pipeline with Tekton and Tekton Chains

---

Software supply chain labs

These labs explore attacks and defenses related to the software supply chain.

• Dependency compromise and poisoning — Simulating a dependency confusion attack
• Artifact signing and verification with Cosign in GitHub Actions
• Provenance generation and verification with SLSA
• SBOM creation, attestation, and validation with Syft and Cosign
• Reproducible container builds — Pinning, verifying, and diffing images

---

Pipeline hardening labs

These labs focus on strengthening pipeline execution environments.

• Runner isolation and execution models — Ephemeral runners with ARC
• Least privilege and permission scoping
• Secrets exposure and protection
• Enforcing Kubernetes deployment policies with OPA Conftest

---

Attack and defense scenarios

Understanding attacker techniques is essential to defending pipelines.

• Poisoned Pipeline Execution (PPE) — Exploiting and defending against CI/CD’s #2 attack
• Compromised dependencies — Dependency confusion simulation
• Compromised actions — Detecting malicious GitHub Actions
• Secret leak detection and prevention
• Artifact tampering and detection — Swapping container images in a registry

---

How to use the labs

Labs are designed to be executed in test or sandbox environments.

Before starting a lab, you should:

• Have basic CI/CD and Git knowledge
• Understand the target platform or tool
• Use non-production environments only

Each lab includes:

• Prerequisites
• Setup instructions
• Execution steps
• Cleanup guidance

---

Related ecosystem

For governance, auditability, and compliance perspectives related to CI/CD security, see regulated-devsecops.com.

Secure Pipelines focuses on how security controls are implemented and tested, while Regulated DevSecOps explains how those controls are governed and assessed.