awesome-cicd-security
:books: A curated list of awesome CI CD security resources
https://github.com/myugan/awesome-cicd-security
Last synced: about 3 hours ago
JSON representation
-
Blogs
-
General
- Top 10 CI/CD Security Risks
- Continuous Delivery 3.0 Maturity Model (CD3M)
- The Anatomy of an Attack Against a Cloud Supply Pipeline
- When Supply-Chain Attacks Meet CI/CD Infrastructures
- CI/CD Supply Chain Attacks for Data Exfiltration or Cloud Account Takeover
- Detecting Malicious Activity in CI/CD Pipeline with Tracee
- Poorly Configured CI/CD Systems Can Be A Backdoor Into Your Infrastructure
- Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 1
- Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2
- Defending software build pipelines from malicious attack
- Cloud Native Best Practices: Security Policies in CI/CD Pipelines
- Let’s Hack a Pipeline: Stealing Another Repo
- Let’s Hack a Pipeline: Shared Infrastructure
- Visualizing CI/CD from an attacker’s perspective
- Let’s Hack a Pipeline: Argument Injection
- When Supply-Chain Attacks Meet CI/CD Infrastructures
-
GitLab
-
GitHub Actions
- GitHub Action Runners Analyzing the Environment and Security in Action
- Automatically Secure Your CI/CD Pipelines Using Tracee GitHub Action
- Github Actions Security Best Practices
- Stealing arbitrary GitHub Actions secrets
- Exploiting GitHub Actions on open source projects
- What the fork? Imposter commits in GitHub Actions and CI/CD
- The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
- Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
- Long Live the Pwn Request: Hacking Microsoft GitHub Repositories and More
- One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images
- TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks
- Security hardening for GitHub Actions
-
Jenkins
-
ArgoCD
-
Azure DevOps Server
-
-
Repositories
-
Tools
-
ArgoCD
- Gato - A tool that helps blue teamers and offensive security practitioners find weaknesses in GitHub organization's public and private repositories.
- clank - Simple tool that allows you to detect imposter commits in GitHub Actions workflows.
- legitify - Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets.
- poutine - A security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository.
- Harden-Runner - Network egress filtering and runtime security for GitHub-hosted and self-hosted runners.
- Cimon - Runtime security solution for your CI/CD pipeline.
- Raven - A powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database
-
-
Playground
-
ArgoCD
-
-
Books
-
Videos
-
ArgoCD
- Challenges to Securing CI/CD Pipelines
- Attacking Development Pipelines For Actual Profit
- Exploiting Continuous Integration (CI) and Automated Build systems
- Continuous Intrusion: Why CI Tools Are An Attacker's Best Friends
- How to Build a Compromise Resilient CI/CD
- OMGCICD - From Intern to Production by: Denis Andzakovic
- Attacking Argo CD with Argo CD (and then Defending) - Michael Crenshaw, Intuit
-
-
Cases
-
ArgoCD
- CI/CD pipeline attacks: A growing threat to enterprise security
- Poisoned pipelines: Security researcher explores attack methods in CI environments
- Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects
- GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
- Report: Software supply chain attacks increased 300% in 2021
- Critical vulnerability discovered in popular CI/CD framework
- Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments
- Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
- Ransomware attacks on GitHub, Bitbucket, and GitLab – what you should know
- Compromising CI/CD Pipelines with Leaked Credentials
- 10 real-world stories of how we’ve compromised CI/CD pipelines
- Report: Software supply chain attacks increased 300% in 2021
- New Attacks on Kubernetes via Misconfigured Argo Workflows
- 10 real-world stories of how we’ve compromised CI/CD pipelines
-
-
Guidelines
Programming Languages
Categories
Sub Categories
Keywords
security
6
supply-chain-security
4
devsecops
4
cicd
3
github-actions
3
devops
3
security-hardening
2
security-scanner
2
hardening
2
golang
2
gitlab
2
github
2
ci
2
actions
2
jenkins
2
hacking
2
supply-chain
2
gh-extension
1
cli
1
sdlc-security
1
rce
1
pentest
1
exploit
1
azure-devops-server
1
azure-devops
1
attack-trees
1
attack-tree
1
attack-simulator
1
attack-simulation
1
infosec
1
ctf
1
appsec
1
security-tools
1
security-automation
1
cycode
1
linux
1
ebpf
1
runtime-security
1
runners
1
network-security
1
egress-filtering
1