CICDGUARD
Presentation Material
Abstract
In this talk, I will present how an organization can approach the visibility and thus security OF CICD ecosystem, some common attack areas - access controls, credentials hygiene, misconfiguration etc. & possible solutions. I will introduce CICDGuard - a graph based CICD ecosystem visualizer & security analyzer.
CICD platforms are an integral part of the overall software supply chain and it processes a lot of sensitive data, compromise of which can affect the entire organization. Security IN CICD is a well discussed topic, security OF CICD deserves the same attention.
One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.
CICDGuard is a graph based CICD ecosystem visualizer and security analyzer, which
- Represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem
- Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws
- Technologies supported - GitHub, GitHub Action, Jenkins, JFrog, Spinnaker, Drone
AI Generated Summary
The talk addressed security and visibility challenges within the CI/CD ecosystem, arguing that securing the CI/CD platforms themselves—not just integrating security controls into pipelines—is critical due to their access to sensitive organizational data and intellectual property. The speaker outlined a broad attack surface encompassing compromised Jenkins consoles, vulnerable GitHub Actions (including self-hosted runners), SSO credential theft across integrated platforms, and insecure third-party plugins or actions.
A three-step methodology was proposed: 1) ensuring software components are secure by default, both as a provider and a diligent consumer (especially for open-source tools); 2) correct implementation and configuration, such as disabling defaults and enforcing MFA; and 3) robust incident response capabilities with proper logging and monitoring.
The core contribution was the introduction of cicd guard, an open-source tool designed to solve the visibility problem. It employs a graph-based architecture, breaking down each CI/CD component (e.g., a Jenkins server into jobs, plugins, servers; GitHub into repos, workflows, runners) into nodes and edges representing relationships. Separate Python-based scan engines target specific technologies (Jenkins, GitHub, GitHub Actions, JFrog), storing normalized data in a Neo4j graph database. An analysis engine then identifies security misconfigurations (e.g., vulnerable plugin versions) and, uniquely, cross-technology attack paths—such as a vulnerable GitHub repository triggering a Jenkins build that deploys to an artifact repository.
A demonstration showed the tool mapping relationships between Jenkins and GitHub Actions, visualizing vulnerable nodes and tracing how a compromise in one system could propagate. Practical implications include providing organizations with a unified inventory of CI/CD assets, automated detection of misconfigurations, and the ability to trace potential blast radii across disparate tools. Future work focuses on expanding technology support (e.g., Drone, Spinnaker, GitLab) and enhancing relationship analysis, such as mapping multiple repositories to a single microservice. The tool aims to make the complex, interconnected CI/CD landscape auditable and securable.