Awesome CI/CD Security 
List of awesome resources about CI/CD security included books, blogs, videos, tools and cases.
Table of Contents
Book
Blogs
General
- Top 10 CI/CD Security Risks
- Continuous Delivery 3.0 Maturity Model (CD3M)
- Visualizing CI/CD from an attackerβs perspective
- The Anatomy of an Attack Against a Cloud Supply Pipeline
- When Supply-Chain Attacks Meet CI/CD Infrastructures
- CI/CD Supply Chain Attacks for Data Exfiltration or Cloud Account Takeover
- Detecting Malicious Activity in CI/CD Pipeline with Tracee
- Letβs Hack a Pipeline: Argument Injection
- Letβs Hack a Pipeline: Stealing Another Repo
- Letβs Hack a Pipeline: Shared Infrastructure
- Poorly Configured CI/CD Systems Can Be A Backdoor Into Your Infrastructure
- Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 1
- Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2
- Defending software build pipelines from malicious attack
- Cloud Native Best Practices: Security Policies in CI/CD Pipelines
GitLab
- Abusing GitLab Runners
- Securing GitLab CI pipelines with Sysbox
- GitLab - Security for self-managed runners
- Critical GitLab vulnerability could allow attackers to steal runner registration tokens
GitHub Actions
- Self-hosted runner security
- GitHub Action Runners Analyzing the Environment and Security in Action
- Github Actions Security Best Practices
- Automatically Secure Your CI/CD Pipelines Using Tracee GitHub Action
Jenkins
- Attacking Jenkins
- Reflections on trusting plugins: Backdooring Jenkins builds
- Securing Jenkins
- How to Secure Jenkins Pipelines without the hassle
ArgoCD
Videos
- Challenges to Securing CI/CD Pipelines
- Attacking Development Pipelines For Actual Profit
- Exploiting Continuous Integration (CI) and Automated Build systems
- Continuous Intrusion: Why CI Tools Are An Attacker's Best Friends
- How to Build a Compromise Resilient CI/CD
- Argo CD Security Practices
Repositories
Playground
Cases
- 10 real-world stories of how weβve compromised CI/CD pipelines
- CI/CD pipeline attacks: A growing threat to enterprise security
- Poisoned pipelines: Security researcher explores attack methods in CI environments
- Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
- GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
- Report: Software supply chain attacks increased 300% in 2021
- Critical vulnerability discovered in popular CI/CD framework
- Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments
- New Attacks on Kubernetes via Misconfigured Argo Workflows
- Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
- Ransomware attacks on GitHub, Bitbucket, and GitLab β what you should know
- Compromising CI/CD Pipelines with Leaked Credentials
Contributing
Your contributions are always welcome.
