CI/CD Security Checklist
Want to learn more?
Secure your CI/CD pipelines with this comprehensive DevSecOps security checklist.
Read the guideCI/CD Pipeline Security Gaps?
Our DevSecOps team audits pipelines, implements security gates, and hardens your software delivery.
Frequently Asked Questions
Common questions about the CI/CD Security Checklist
SLSA (Supply-chain Levels for Software Artifacts) is a security framework for protecting software supply chains. It defines four levels of increasing security guarantees, from basic build provenance (L1) to hermetic, reproducible builds (L4).
Never hardcode secrets in code or config files. Use your CI/CD platform's secret management (GitHub Secrets, GitLab CI Variables). Better yet, use OIDC for cloud authentication to eliminate stored credentials.
SAST (Static Application Security Testing) analyzes source code without running it. DAST (Dynamic Application Security Testing) tests running applications. Use both for comprehensive coverage.
Pinning actions to commit SHAs prevents supply chain attacks. Tags can be moved to point to malicious code, but SHAs are immutable. Use actions/checkout@b4ffde65f46... instead of @v4.
Build provenance is cryptographic evidence of where an artifact came from. It enables verification that artifacts weren't tampered with. Generate provenance using SLSA GitHub generator or sigstore/cosign.
Set permissions: {} at the workflow level to disable all permissions, then grant only what's needed per job. Use environment-specific credentials and avoid admin tokens in pipelines.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.