Abstract

CICDGuard is a graph based CICD ecosystem visualizer and security analyzer, which –

Represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws adhering to OWASP CICD Top10 vulnerabilities Identifies the relationship between different technologies and demonstrates how vulnerability in one component can affect one or more other technologies Technologies supported – GitHub, GitHub Action, Jenkins, JFrog, Spinnaker, Drone

CICD platforms are an integral part of the overall software supply chain and it processes a lot of sensitive data, compromise of which can affect the entire organization. Security IN CICD is a well discussed topic, security OF CICD deserves the same attention. One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.

CICDGuard has three major modules –

Scan Engine – Responsible for scanning the target environments Analysis Engine – Responsible for analyzing the relationship between different technologies WebUI – Graph based WebUI to visualize all data and make configuration

CICDGuard has been architected using the modular approach and each module of CICDGuard can function independently. For e.g. users can run each scan engine script independently and do the security analysis. Also, users can choose to have output in JSON format or print in terminal or store in Neo4j database. Output in JSON format also allows CICDGuard to integrate in the CICD pipeline itself.

This session will have a live demo scanning a test environment and providing the walkthrough of architecture, different features and sections in WebUI.