How to have visibility and security OF CICD ecosystem

Presentation Material

Abstract

Today CICD platforms are an integral and critical part of the overall software supply chain. To support the business requirements, it processes a lot of sensitive data, compromise of which can have effect on the entire organization. Security IN CICD is a well discussed topic, now security OF CICD deserves the same attention.

One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.

In this talk I will be presenting how an organization can approach the visibility and thus security OF CICD ecosystem along with some common attack areas like access controls, credentials hygiene, misconfiguration etc. and their possible solutions.

I will introduce two new open source projects:

First, CICDGuard - a graph based CICD ecosystem visualizer and security analyzer, which represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem. It identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws.

Second, ActionGOAT - a deliberate damn vulnerable GitHub Action for learning purposes.

AI Generated Summary

The talk addressed security of the CI/CD ecosystem itself, emphasizing the need for comprehensive visibility into all components (repositories, runners, servers, actions) and the relationships between them, rather than only integrating security checks into pipelines. The attack surface includes misconfigurations (e.g., default credentials in Jenkins), vulnerable or malicious third-party GitHub Actions on self-hosted runners, and credential propagation via SSO integrations. A three-part methodology was proposed: shared responsibility between software providers and consumers to vet components; secure implementation and configuration; and continuous monitoring for detection and response.

The speaker introduced CI/CD Guard, an open-source tool that models the CI/CD environment as a graph database (Neo4j), where nodes represent granular components (e.g., repositories, jobs, plugins, actions) and edges represent relationships (e.g., a repository change triggering a specific Jenkins build). Independent scan engines collect data via API from supported technologies (GitHub Actions, Jenkins, etc.) with administrative access. The analysis engine correlates this data to build the graph, identifying security misconfigurations (e.g., outdated plugins, disabled MFA) and mapping component dependencies. A basic web UI visualizes the graph, allowing filtering by node type and vulnerability status.

Practical implications include using the tool to inventory all third-party actions and their versions across an organization, flagging deviations from approved versions, and tracing attack paths (e.g., a specific user’s commit to a compromised build job). Future work aims to expand supported technologies and enhance analysis for microservice architectures, such as linking multiple repositories to a single service. The tool outputs JSON for integration with other systems, but the primary value lies in providing the previously missing visibility and relational context across the fragmented CI/CD landscape.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview — always refer to the original talk for authoritative content. Learn more about our AI experiments.