CI/CD Security
Modern CI/CD pipelines require robust security controls integrated throughout the development lifecycle. This guide covers the latest security practices and patterns for CI/CD pipelines.
Secure Pipeline Design
Multi-Stage Security Validation
# Example Pipeline Structure
stages:
- validate
- scan
- build
- test
- security
- compliance
- deploy
- monitor
Zero-Trust Pipeline Architecture
- Isolated build environments
- Ephemeral credentials
- Just-in-time access
- Minimal privilege principle
- Network segmentation
Security Controls
1. Pipeline Security Gates
- Code quality thresholds
- Security scan results
- Dependency checks
- License compliance
- Infrastructure validation
2. Automated Security Checks
GitHub Actions Example
name: Security Pipeline
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
# SAST
- uses: github/codeql-action/analyze@v2
# Dependencies
- uses: snyk/actions/node@master
# Container Security
- uses: aquasecurity/trivy-action@master
# IaC Security
- uses: bridgecrewio/checkov-action@master
# License Compliance
- uses: fossas/fossa-action@main
Azure DevOps Pipeline Example
trigger:
- main
- release/*
variables:
azureSubscription: 'Production'
stages:
- stage: SecurityValidation
jobs:
- job: SecurityScans
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Semmle@1
inputs:
sourceCodeDirectory: '$(Build.SourcesDirectory)'
language: 'cpp,java,python,javascript'
- task: WhiteSource@21
inputs:
cwd: '$(System.DefaultWorkingDirectory)'
- task: CheckmarxScan@9
inputs:
projectName: '$(Build.Repository.Name)'
enablePolicyMode: true
- stage: ComplianceCheck
jobs:
- job: Compliance
steps:
- task: SonarQubePrepare@5
- task: SonarQubeAnalyze@5
- task: SonarQubePublish@5
Supply Chain Security
1. Dependency Management
- SBOM generation
- Vulnerability scanning
- License compliance checks
- Version pinning
- Dependency updates
2. Container Security
# Container Build Security
steps:
- task: ContainerScan@0
inputs:
imageName: '$(imageRepository):$(tag)'
scanType: 'vulnerability'
severityThreshold: 'CRITICAL'
- task: ContainerStructureTest@0
inputs:
imageName: '$(imageRepository):$(tag)'
testFile: 'test/container-structure-test.yaml'
3. Artifact Signing
# Artifact Signing Configuration
signing:
provider: cosign
identities:
- name: pipeline-signing-key
type: kms
keyRef: projects/my-project/locations/global/keyRings/release-keys
verification:
- policy: match-signature
keyRef: projects/my-project/locations/global/keyRings/release-keys
Runtime Security
1. Dynamic Security Testing
# DAST Integration
security_testing:
dast:
zap:
target: https://staging.app.com
rules: security-rules.conf
thresholds:
high: 0
medium: 5
nuclei:
templates: security-templates/
severity: critical,high
2. Infrastructure Security
# Infrastructure Validation
infrastructure:
validation:
- provider: terraform
policy_set: security-baseline
- provider: kubernetes
policy_set: pod-security
- provider: cloud
policy_set: compliance-controls
Monitoring and Response
1. Security Observability
# Security Monitoring Configuration
monitoring:
providers:
- name: azure-sentinel
workspace: security-analytics
- name: elastic-security
endpoint: https://es.internal
alerts:
- name: high-risk-deployment
criteria: deployment_risk_score > 80
channels: ['security-team', 'devops-oncall']
2. Incident Response
# Incident Response Automation
response:
triggers:
- event: security_violation
severity: high
actions:
- type: slack_notification
channel: security-incidents
- type: jira_ticket
project: SEC
priority: P1
- type: deployment_rollback
target: last_known_good
Compliance Automation
1. Compliance Checks
# Compliance Validation
compliance:
frameworks:
- standard: PCI-DSS
controls: [requirement-6, requirement-8]
- standard: SOC2
controls: [CC6.1, CC7.1, CC8.1]
reporting:
format: [json, pdf]
schedule: weekly
2. Audit Logging
# Audit Configuration
audit:
retention: 365d
destinations:
- type: cloud_storage
bucket: audit-logs
- type: security_analytics
workspace: compliance-monitoring
events:
- category: pipeline_execution
- category: security_scan
- category: deployment
- category: configuration_change
GitOps Security Integration
1. Secure GitOps Workflows
# Flux Security Configuration
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: secure-apps
spec:
interval: 1m
url: https://github.com/org/apps
secretRef:
name: flux-system
verify:
provider: cosign
secretRef:
name: cosign-public-key
2. Policy Enforcement
# OPA/Gatekeeper Policy
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: deployment-must-have-security-context
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment"]
parameters:
labels: ["security-context-validated"]
Best Practices Summary
- Pipeline Security
- Implement defense in depth
- Use security gates
- Enable audit logging
- Enforce least privilege
- Supply Chain
- Generate and verify SBOMs
- Sign artifacts and images
- Use trusted base images
- Implement dependency scanning
- Runtime Security
- Deploy WAF protection
- Enable runtime scanning
- Implement chaos engineering
- Monitor security metrics
- Compliance
- Automate compliance checks
- Maintain audit trails
- Generate compliance reports
- Implement policy controls
Remember to regularly review and update security controls as new threats emerge and compliance requirements evolve.