CI/CD pipeline assessment: poisoned pipeline execution, secret exfiltration, runner compromise, dependency confusion, and artifact integrity.
58 checks · progress and notes saved in your browser
Who can change what flows into the pipeline, and whether code and configuration reach production through enforced review — covering flow-control gaps, identity and access management, and pipeline-based access controls (PBAC).
Whether the code and configuration that execute inside the pipeline can be poisoned or injected, and whether the runners they execute on are isolated and trustworthy.
How the pipeline stores, scopes, and rotates the secrets it needs — covering exposure of secrets in logs and code, over-scoped tokens and OIDC misconfiguration, and credential hygiene.
The external code, actions, and artifacts the pipeline pulls in and produces — dependency-chain abuse, untrusted third-party actions, and artifact integrity, signing, and provenance.
The governance side of the pipeline — secure system configuration of the CI/CD platforms themselves, and sufficient logging and visibility to detect and investigate attacks.