This page gathers reference materials, tools, and technical resources related to CI/CD security and software supply chain protection.
Resources listed here are selected for their relevance, technical depth, and practical usefulness.
Standards and frameworks
- SLSA (Supply-chain Levels for Software Artifacts)
Framework for improving build integrity and provenance across software supply chains.
→ Guide: Artifact Provenance and Attestations | → Lab: SLSA Provenance - in-toto
Framework for securing the integrity of software supply chains through metadata and attestations.
→ Guide: From SLSA to in-toto - SSDF (NIST Secure Software Development Framework)
Guidelines for integrating security throughout the software development lifecycle. - OWASP Top 10 CI/CD Risks
Threat model focused on CI/CD pipeline security risks.
→ Guide: Defensive Patterns and Mitigations
CI/CD security tools
- Sigstore (Cosign, Rekor, Fulcio)
Tooling for signing, verifying, and recording software artifacts and attestations.
→ Guide: Signing with Sigstore and Cosign | → Lab: Cosign in GitHub Actions - Trivy
Vulnerability, configuration, and SBOM scanner for containers and pipelines. - Syft
SBOM generation tool for containers and source artifacts.
→ Lab: SBOM Pipeline with Syft and Cosign - Grype
Vulnerability scanner based on SBOM analysis.
→ Lab: SBOM Pipeline with Syft and Cosign - Checkov
Static analysis tool for infrastructure as code and pipeline configurations. - Gitleaks
Secret detection tool for git repositories, pre-commit hooks, and CI/CD pipelines.
→ Lab: Detecting and Preventing Secret Leaks - TruffleHog
Credential scanner with verified secret detection across git history, filesystems, and cloud services.
→ Lab: Detecting and Preventing Secret Leaks - actionlint
Static checker for GitHub Actions workflow files — catches misconfigurations and expression injection risks.
→ Lab: Detecting Malicious GitHub Actions - zizmor
Security-focused static analysis for GitHub Actions workflows.
→ Lab: Detecting Malicious GitHub Actions - crane
CLI tool for interacting with container registries — inspect, copy, mutate, and diff images.
→ Lab: Artifact Tampering and Detection - diffoscope
In-depth comparison tool for files, directories, and container images — essential for verifying build reproducibility.
→ Lab: Reproducible Container Builds
Policy and control enforcement
- Open Policy Agent (OPA)
General-purpose policy engine for enforcing security controls in pipelines.
→ Guide: Policy as Code with OPA and Rego | → Lab: OPA Conftest in CI/CD - Kyverno
Policy engine designed for Kubernetes-native environments. - Conftest
Tool for writing and testing policies against structured configuration data.
→ Lab: OPA Conftest in CI/CD
Secrets management
- HashiCorp Vault
Secrets management platform with dynamic secrets, encryption, and identity-based access.
→ Guide: Secrets Management with Vault Integration - GitHub Actions OIDC
Workload identity federation for GitHub Actions — eliminate long-lived cloud credentials.
→ Guide: Workload Identity Federation | → Lab: OIDC with AWS - GitLab CI OIDC
ID token authentication for GitLab CI — short-lived credentials for cloud access.
→ Guide: Workload Identity Federation
CI/CD platforms and ecosystems
- GitHub Actions
CI/CD platform with a strong ecosystem and growing security features.
→ Lab: Hardening GitHub Actions - GitLab CI/CD
Integrated DevSecOps platform with built-in security controls.
→ Lab: Securing GitLab CI - Tekton
Kubernetes-native CI/CD framework for building custom pipelines.
→ Lab: Tekton and Tekton Chains - Actions Runner Controller (ARC)
Kubernetes operator for ephemeral, auto-scaling GitHub Actions runners.
→ Lab: Ephemeral Runners with ARC
Threat modeling and attacks
- OWASP Top 10 CI/CD Risks
The definitive threat model for CI/CD pipeline security risks.
→ Guide: CI/CD Pipelines as Attack Surface - Poisoned Pipeline Execution (PPE)
OWASP CI/CD #2 risk — attacker modifies pipeline code or build scripts via pull requests.
→ Lab: Exploiting and Defending Against PPE - Dependency confusion (Alex Birsan, 2021)
Original research that compromised Apple, Microsoft, and Tesla via package manager name resolution.
→ Guide: Dependency Confusion and Artifact Poisoning | → Lab: Dependency Confusion Simulation - CI/CD Threat Modeling
Analysis of trust boundaries and attack paths in CI/CD pipelines.
→ Guide: Execution Models and Trust Assumptions
Comparison guides
In-depth comparisons to help you choose the right tools for your CI/CD security stack.
- CI/CD Security Scanners Compared — Trivy vs Grype vs Snyk vs Checkov
- Container Signing Tools Compared — Cosign vs Notation vs GPG
- SBOM Tools Compared — Syft vs Trivy vs CycloneDX CLI
- CI/CD Policy Engines Compared — OPA vs Kyverno vs Sentinel vs Cedar
Cheat sheets and quick references
Concise, copy-paste-ready references for everyday CI/CD security tasks.
- GitHub Actions Security Cheat Sheet — Permissions, Pinning, Secrets, and OIDC
- GitLab CI Security Cheat Sheet — Variables, Runners, Environments, and OIDC
- OWASP Top 10 CI/CD Risks — Explained with Real-World Examples
- SLSA Levels — A Practical Compliance Checklist
External references
- OWASP Foundation
Open security resources and threat models. - CNCF TAG Security
Cloud-native initiatives and best practices around supply chain security. - NIST CSRC
Security standards and guidance related to software development and supply chains. - OpenSSF (Open Source Security Foundation)
Cross-industry collaboration on open source software security, including Scorecard, SLSA, and Sigstore.
Related ecosystem
For compliance, governance, and regulatory aspects of DevSecOps and CI/CD, see regulated-devsecops.com.
The two sites are designed to complement each other:
- Secure Pipelines: technical implementation and engineering practices
- Regulated DevSecOps: governance, auditability, and compliance
