CI/CD Security

Modern CI/CD pipelines require robust security controls integrated throughout the development lifecycle. This guide covers the latest security practices and patterns for CI/CD pipelines.

Secure Pipeline Design

Multi-Stage Security Validation

# Example Pipeline Structure
stages:
  - validate
  - scan
  - build
  - test
  - security
  - compliance
  - deploy
  - monitor

Zero-Trust Pipeline Architecture

  • Isolated build environments

  • Ephemeral credentials

  • Just-in-time access

  • Minimal privilege principle

  • Network segmentation

Security Controls

1. Pipeline Security Gates

  • Code quality thresholds

  • Security scan results

  • Dependency checks

  • License compliance

  • Infrastructure validation

2. Automated Security Checks

GitHub Actions Example

name: Security Pipeline
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      # SAST
      - uses: github/codeql-action/analyze@v2
        
      # Dependencies
      - uses: snyk/actions/node@master
        
      # Container Security  
      - uses: aquasecurity/trivy-action@master
        
      # IaC Security
      - uses: bridgecrewio/checkov-action@master
        
      # License Compliance
      - uses: fossas/fossa-action@main

Azure DevOps Pipeline Example

trigger:
  - main
  - release/*

variables:
  azureSubscription: 'Production'
  
stages:
- stage: SecurityValidation
  jobs:
  - job: SecurityScans
    pool:
      vmImage: 'ubuntu-latest'
    steps:
    - task: Semmle@1
      inputs:
        sourceCodeDirectory: '$(Build.SourcesDirectory)'
        language: 'cpp,java,python,javascript'
        
    - task: WhiteSource@21
      inputs:
        cwd: '$(System.DefaultWorkingDirectory)'
        
    - task: CheckmarxScan@9
      inputs:
        projectName: '$(Build.Repository.Name)'
        enablePolicyMode: true

- stage: ComplianceCheck
  jobs:
  - job: Compliance
    steps:
    - task: SonarQubePrepare@5
    - task: SonarQubeAnalyze@5
    - task: SonarQubePublish@5

Supply Chain Security

1. Dependency Management

  • SBOM generation

  • Vulnerability scanning

  • License compliance checks

  • Version pinning

  • Dependency updates

2. Container Security

# Container Build Security
steps:
- task: ContainerScan@0
  inputs:
    imageName: '$(imageRepository):$(tag)'
    scanType: 'vulnerability'
    severityThreshold: 'CRITICAL'
    
- task: ContainerStructureTest@0
  inputs:
    imageName: '$(imageRepository):$(tag)'
    testFile: 'test/container-structure-test.yaml'

3. Artifact Signing

# Artifact Signing Configuration
signing:
  provider: cosign
  identities:
    - name: pipeline-signing-key
      type: kms
      keyRef: projects/my-project/locations/global/keyRings/release-keys
  verification:
    - policy: match-signature
      keyRef: projects/my-project/locations/global/keyRings/release-keys

Runtime Security

1. Dynamic Security Testing

# DAST Integration
security_testing:
  dast:
    zap:
      target: https://staging.app.com
      rules: security-rules.conf
      thresholds:
        high: 0
        medium: 5
    nuclei:
      templates: security-templates/
      severity: critical,high

2. Infrastructure Security

# Infrastructure Validation
infrastructure:
  validation:
    - provider: terraform
      policy_set: security-baseline
    - provider: kubernetes
      policy_set: pod-security
    - provider: cloud
      policy_set: compliance-controls

Monitoring and Response

1. Security Observability

# Security Monitoring Configuration
monitoring:
  providers:
    - name: azure-sentinel
      workspace: security-analytics
    - name: elastic-security
      endpoint: https://es.internal
  alerts:
    - name: high-risk-deployment
      criteria: deployment_risk_score > 80
      channels: ['security-team', 'devops-oncall']

2. Incident Response

# Incident Response Automation
response:
  triggers:
    - event: security_violation
      severity: high
      actions:
        - type: slack_notification
          channel: security-incidents
        - type: jira_ticket
          project: SEC
          priority: P1
        - type: deployment_rollback
          target: last_known_good

Compliance Automation

1. Compliance Checks

# Compliance Validation
compliance:
  frameworks:
    - standard: PCI-DSS
      controls: [requirement-6, requirement-8]
    - standard: SOC2
      controls: [CC6.1, CC7.1, CC8.1]
  reporting:
    format: [json, pdf]
    schedule: weekly

2. Audit Logging

# Audit Configuration
audit:
  retention: 365d
  destinations:
    - type: cloud_storage
      bucket: audit-logs
    - type: security_analytics
      workspace: compliance-monitoring
  events:
    - category: pipeline_execution
    - category: security_scan
    - category: deployment
    - category: configuration_change

GitOps Security Integration

1. Secure GitOps Workflows

# Flux Security Configuration
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
  name: secure-apps
spec:
  interval: 1m
  url: https://github.com/org/apps
  secretRef:
    name: flux-system
  verify:
    provider: cosign
    secretRef:
      name: cosign-public-key

2. Policy Enforcement

# OPA/Gatekeeper Policy
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: deployment-must-have-security-context
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    labels: ["security-context-validated"]

Best Practices Summary

  1. Pipeline Security

    • Implement defense in depth

    • Use security gates

    • Enable audit logging

    • Enforce least privilege

  2. Supply Chain

    • Generate and verify SBOMs

    • Sign artifacts and images

    • Use trusted base images

    • Implement dependency scanning

  3. Runtime Security

    • Deploy WAF protection

    • Enable runtime scanning

    • Implement chaos engineering

    • Monitor security metrics

  4. Compliance

    • Automate compliance checks

    • Maintain audit trails

    • Generate compliance reports

    • Implement policy controls

Remember to regularly review and update security controls as new threats emerge and compliance requirements evolve.

Last updated