CI/CD Security
Modern CI/CD pipelines require robust security controls integrated throughout the development lifecycle. This guide covers the latest security practices and patterns for CI/CD pipelines.
Secure Pipeline Design
Multi-Stage Security Validation
# Example Pipeline Structure
stages:
- validate
- scan
- build
- test
- security
- compliance
- deploy
- monitorZero-Trust Pipeline Architecture
Isolated build environments
Ephemeral credentials
Just-in-time access
Minimal privilege principle
Network segmentation
Security Controls
1. Pipeline Security Gates
Code quality thresholds
Security scan results
Dependency checks
License compliance
Infrastructure validation
2. Automated Security Checks
GitHub Actions Example
name: Security Pipeline
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
# SAST
- uses: github/codeql-action/analyze@v2
# Dependencies
- uses: snyk/actions/node@master
# Container Security
- uses: aquasecurity/trivy-action@master
# IaC Security
- uses: bridgecrewio/checkov-action@master
# License Compliance
- uses: fossas/fossa-action@mainAzure DevOps Pipeline Example
trigger:
- main
- release/*
variables:
azureSubscription: 'Production'
stages:
- stage: SecurityValidation
jobs:
- job: SecurityScans
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Semmle@1
inputs:
sourceCodeDirectory: '$(Build.SourcesDirectory)'
language: 'cpp,java,python,javascript'
- task: WhiteSource@21
inputs:
cwd: '$(System.DefaultWorkingDirectory)'
- task: CheckmarxScan@9
inputs:
projectName: '$(Build.Repository.Name)'
enablePolicyMode: true
- stage: ComplianceCheck
jobs:
- job: Compliance
steps:
- task: SonarQubePrepare@5
- task: SonarQubeAnalyze@5
- task: SonarQubePublish@5Supply Chain Security
1. Dependency Management
SBOM generation
Vulnerability scanning
License compliance checks
Version pinning
Dependency updates
2. Container Security
# Container Build Security
steps:
- task: ContainerScan@0
inputs:
imageName: '$(imageRepository):$(tag)'
scanType: 'vulnerability'
severityThreshold: 'CRITICAL'
- task: ContainerStructureTest@0
inputs:
imageName: '$(imageRepository):$(tag)'
testFile: 'test/container-structure-test.yaml'3. Artifact Signing
# Artifact Signing Configuration
signing:
provider: cosign
identities:
- name: pipeline-signing-key
type: kms
keyRef: projects/my-project/locations/global/keyRings/release-keys
verification:
- policy: match-signature
keyRef: projects/my-project/locations/global/keyRings/release-keysRuntime Security
1. Dynamic Security Testing
# DAST Integration
security_testing:
dast:
zap:
target: https://staging.app.com
rules: security-rules.conf
thresholds:
high: 0
medium: 5
nuclei:
templates: security-templates/
severity: critical,high2. Infrastructure Security
# Infrastructure Validation
infrastructure:
validation:
- provider: terraform
policy_set: security-baseline
- provider: kubernetes
policy_set: pod-security
- provider: cloud
policy_set: compliance-controlsMonitoring and Response
1. Security Observability
# Security Monitoring Configuration
monitoring:
providers:
- name: azure-sentinel
workspace: security-analytics
- name: elastic-security
endpoint: https://es.internal
alerts:
- name: high-risk-deployment
criteria: deployment_risk_score > 80
channels: ['security-team', 'devops-oncall']2. Incident Response
# Incident Response Automation
response:
triggers:
- event: security_violation
severity: high
actions:
- type: slack_notification
channel: security-incidents
- type: jira_ticket
project: SEC
priority: P1
- type: deployment_rollback
target: last_known_goodCompliance Automation
1. Compliance Checks
# Compliance Validation
compliance:
frameworks:
- standard: PCI-DSS
controls: [requirement-6, requirement-8]
- standard: SOC2
controls: [CC6.1, CC7.1, CC8.1]
reporting:
format: [json, pdf]
schedule: weekly2. Audit Logging
# Audit Configuration
audit:
retention: 365d
destinations:
- type: cloud_storage
bucket: audit-logs
- type: security_analytics
workspace: compliance-monitoring
events:
- category: pipeline_execution
- category: security_scan
- category: deployment
- category: configuration_changeGitOps Security Integration
1. Secure GitOps Workflows
# Flux Security Configuration
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: secure-apps
spec:
interval: 1m
url: https://github.com/org/apps
secretRef:
name: flux-system
verify:
provider: cosign
secretRef:
name: cosign-public-key2. Policy Enforcement
# OPA/Gatekeeper Policy
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: deployment-must-have-security-context
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment"]
parameters:
labels: ["security-context-validated"]Best Practices Summary
Pipeline Security
Implement defense in depth
Use security gates
Enable audit logging
Enforce least privilege
Supply Chain
Generate and verify SBOMs
Sign artifacts and images
Use trusted base images
Implement dependency scanning
Runtime Security
Deploy WAF protection
Enable runtime scanning
Implement chaos engineering
Monitor security metrics
Compliance
Automate compliance checks
Maintain audit trails
Generate compliance reports
Implement policy controls
Remember to regularly review and update security controls as new threats emerge and compliance requirements evolve.
Last updated