Your CI/CD pipeline has more secrets than your production environment. It is a prime attack target.
Top Security Controls
- OIDC Authentication: Use GitHub OIDC to assume AWS/Azure roles without storing long-lived credentials.
- Least Privilege: Build agents should only have permissions to push images, not modify IAM.
- Signed Commits: Require GPG-signed commits before triggering builds.
- Dependency Pinning: Use SHA digests for Docker base images, not
:latest.
Discover more from C4: Container, Code, Cloud & Context
Subscribe to get the latest posts sent to your email.