This page provides an overview of the main technical topics covered on Secure Pipelines.
Each topic represents a core area of CI/CD and software supply chain security, with in-depth articles, guides, and hands-on labs.
CI/CD Security
This topic focuses on securing CI/CD pipelines against tampering, abuse, and unauthorized changes.
→ Read the complete guide to CI/CD Pipeline Security
- Pipeline execution models and trust boundaries
- Permissions, identities, and access control
- Secrets exposure and protection
- Secure deployment workflows
Guides: Policy as Code | Workload Identity Federation | Defensive Patterns
Cheat sheets: OWASP Top 10 CI/CD Risks | SLSA Levels Checklist
Software Supply Chain Security
Software supply chain security addresses the integrity of dependencies, builds, and artifacts.
→ Read the comprehensive guide to Software Supply Chain Security
- Dependency risks and transitive trust
- Build integrity and reproducible builds
- Artifact provenance and attestations
- Artifact signing and verification
Labs: Cosign Signing | SLSA Provenance | SBOM Pipeline | Reproducible Builds
Comparisons: Signing Tools | SBOM Tools
Pipeline Hardening
This topic covers techniques for strengthening pipeline execution environments.
→ Read the Pipeline Hardening guide
- Runner and build agent isolation
- Network and filesystem restrictions
- Least privilege execution models
- Hardening shared and self-hosted runners
Labs: GHA Hardening | Secret Leaks | OPA Conftest
Comparisons: Security Scanners | Policy Engines
GitHub Actions
This topic focuses on securing workflows built with GitHub Actions.
→ Read the GitHub Actions Security Definitive Guide
- Workflow permissions and token scoping
- Securing third-party actions
- Runner security and isolation
- OIDC workload identity with AWS
Labs: Hardening Workflows | Cosign Signing | SLSA Provenance
Cheat sheet: GitHub Actions Security Cheat Sheet
GitLab CI
This topic explores security considerations specific to GitLab CI/CD.
→ Read the GitLab CI/CD Security Definitive Guide
- Pipeline and job security
- Runner configuration and isolation
- Secrets management in GitLab pipelines
- Secure deployment workflows
Lab: Securing GitLab CI Pipelines
Cheat sheet: GitLab CI Security Cheat Sheet
Threats and Attacks
Understanding how CI/CD pipelines are attacked is critical to defending them.
→ Read the CI/CD Threats and Attacks guide
- Common CI/CD attack paths
- Supply chain attack techniques
- Poisoned pipeline execution
- OWASP Top 10 CI/CD Risks
Labs: PPE Attack | Dependency Confusion | Malicious Actions | Artifact Tampering
Policy as Code
Policy as Code enables automated, enforceable security controls in CI/CD pipelines.
- Policy design principles and OPA/Rego
- Configuration and workflow validation with Conftest
- Policy engines compared: OPA vs Kyverno vs Sentinel vs Cedar
How to use the topics
Topics can be explored independently or used as entry points into more structured content.
Each topic links to:
- Related articles and pillar guides
- In-depth technical guides
- Hands-on labs
- Cheat sheets and comparison resources
Together, they provide a complete view of CI/CD and software supply chain security.
Related ecosystem
For compliance, governance, and regulatory perspectives related to DevSecOps and CI/CD, see regulated-devsecops.com.
Secure Pipelines focuses on technical implementation, while Regulated DevSecOps focuses on governance and auditability.
