CI/CD pipelines are high-value targets. A compromised pipeline can deploy malicious code.
Secrets management:
- Never commit secrets to Git
- Use pipeline secret stores (GitHub Secrets, GitLab CI Variables)
- Inject at runtime, don't bake into images
Security scanning:
- SAST: Static analysis of source code
- DAST: Dynamic testing of running app
- SCA: Dependency vulnerability scanning
- Image scanning: Trivy, Snyk for container images
Best practices:
- Pin dependencies to specific versions
- Sign artifacts
- Audit pipeline access
- Use short-lived credentials