ci-cd-security
Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.
186 articles
Securing AWS CodePipeline and CodeBuild against supply ch...
CodePipeline and CodeBuild sit where code, secrets, and compute converge unattended — here's where supply chain attacks actually enter and how to close the gaps.
Using GCP Workload Identity Federation for keyless CI/CD ...
GCP Workload Identity Federation lets CI/CD pipelines authenticate with short-lived tokens instead of service account keys. Here's how it works and how to migrate.
Securing Cloud Build pipelines and generating SLSA proven...
How to secure Cloud Build supply chain security with least-privilege service accounts and SLSA provenance so tampered builds never reach production.
CI/CD pipeline supply chain attacks explained
A breakdown of how CI/CD supply chain attacks work, from SolarWinds to the 2025 tj-actions/changed-files breach, and how to detect and stop them.
Argument injection vulnerabilities explained
How argument injection (CWE-88) vulnerabilities work, real CVEs like PHPMailer and Git ssh URLs, and how teams detect and prevent CWE-88 flaws.
The tj-actions/changed-files GitHub Action Supply Chain C...
CVE-2025-30066 exposed how a compromised tj-actions/changed-files GitHub Action leaked CI/CD secrets into build logs across 23,000+ repos. Timeline, impact, and fixes.
Jenkins CLI Java Deserialization Remote Code Execution (C...
CVE-2017-1000353 let attackers gain unauthenticated RCE on Jenkins via CLI Java deserialization. Here's the impact, timeline, and how to remediate it.
Jenkins Script Security Sandbox Bypass Leading to RCE (CV...
CVE-2019-1003029 let attackers escape the Jenkins Script Security sandbox and execute arbitrary code via crafted Groovy pipeline scripts.
Jenkins Arbitrary File Read via Crafted CLI Command (CVE-...
CVE-2018-1999002 let attackers read arbitrary files from Jenkins masters via crafted requests to the Stapler framework, exposing secrets and credentials.
GitLab Unauthenticated RCE via ExifTool Image Processing ...
CVE-2021-22205 let attackers gain unauthenticated RCE on self-hosted GitLab via ExifTool image parsing. Here's the affected versions, severity, timeline, and fixes.
Best secrets scanning tools for CI/CD pipelines
A practical, no-hype comparison of secrets scanning tools for CI/CD: what gitleaks, TruffleHog, and GitGuardian catch, and where each one falls short.
Best SLSA-compliant build systems
A fair comparison of SLSA compliant build systems—GitHub Actions, Cloud Build, GitLab, Tekton Chains—with real strengths and limitations for Build Level 3.