DevSecOps

Securing Your CI/CD Pipeline: 10 Essential Controls

Caliptra TeamDec 28, 20256 min read


Why CI/CD Security Matters

Your CI/CD pipeline is one of the most critical pieces of infrastructure in your organization. It has access to your source code, your secrets, your production environment, and often runs with elevated privileges.

A compromised pipeline can lead to:

  • Malicious code in production

  • Leaked secrets and credentials

  • Supply chain attacks affecting your customers

  • Complete infrastructure takeover


Yet many teams treat pipeline security as an afterthought. Let's fix that.

The 10 Essential Controls

1. Secrets Management

Never hardcode secrets in your repository. This seems obvious, but secrets in git history remain one of the most common security findings.

Implementation:

  • Use a secrets manager (Vault, AWS Secrets Manager, GitHub Secrets)

  • Implement pre-commit hooks to catch secrets before they're committed

  • Scan your git history for existing secrets and rotate them

  • Use short-lived credentials where possible


2. Static Application Security Testing (SAST)

SAST tools analyze your source code for security vulnerabilities without executing it.

Tools to consider:

  • Semgrep (open source, highly customizable)

  • SonarQube (comprehensive, good for larger teams)

  • CodeQL (GitHub native, great for open source)


Implementation tips:
  • Run on every pull request

  • Start with high-confidence rules to avoid alert fatigue

  • Gradually increase coverage as your team matures


3. Software Composition Analysis (SCA)

Most modern applications are 80%+ open source dependencies. SCA tools identify vulnerabilities in those dependencies.

Tools to consider:

  • Dependabot (GitHub native)

  • Snyk (comprehensive, good developer experience)

  • Trivy (open source, fast)


Implementation tips:
  • Enable automatic pull requests for updates

  • Set policies for critical vulnerability response times

  • Review transitive dependencies, not just direct ones


4. Container Image Scanning

If you're deploying containers, you need to scan your images for vulnerabilities.

Tools to consider:

  • Trivy (fast, comprehensive, open source)

  • Grype (from Anchore, open source)

  • Snyk Container (commercial, good integration)


Implementation tips:
  • Scan base images and final images

  • Block deployments with critical vulnerabilities

  • Use minimal base images (distroless, Alpine)


5. Infrastructure as Code Security

Your Terraform, CloudFormation, or Kubernetes manifests can contain misconfigurations that create security risks.

Tools to consider:

  • Checkov (comprehensive IaC scanning)

  • tfsec (Terraform-specific)

  • Trivy (also does IaC scanning)


Common issues caught:
  • Publicly accessible S3 buckets

  • Security groups with 0.0.0.0/0 access

  • Unencrypted resources

  • Missing logging configuration


6. Signed Commits and Branch Protection

Ensure code changes are authentic and properly reviewed.

Implementation:

  • Require signed commits (GPG or SSH)

  • Enable branch protection on main/master

  • Require pull request reviews

  • Require status checks to pass before merge


7. Least Privilege for Pipeline Credentials

Your pipeline should have only the permissions it needs, nothing more.

Implementation:

  • Use separate credentials for different environments

  • Implement just-in-time access where possible

  • Regularly audit pipeline permissions

  • Use OIDC instead of long-lived credentials (GitHub Actions supports this)


8. Artifact Signing and Verification

Sign your build artifacts and verify signatures before deployment.

Implementation:

  • Sign container images with cosign or Notary

  • Implement admission controllers to verify signatures

  • Maintain a secure key management process


9. Pipeline Audit Logging

Know what happened in your pipeline and when.

Implementation:

  • Log all pipeline executions with full context

  • Retain logs for compliance requirements

  • Set up alerts for suspicious activity

  • Review logs regularly


10. Security Gates

Don't just scan — block deployments that don't meet your security standards.

Implementation:

  • Define thresholds for each scan type

  • Block merges/deployments that fail checks

  • Provide clear remediation guidance

  • Allow emergency bypasses with proper approval and audit trail


Putting It All Together

Here's what a secure pipeline flow looks like:

Commit → Pre-commit hooks (secrets scan)
      → Pull Request
          → SAST scan
          → SCA scan
          → IaC scan
          → Code review
          → Signed commit verification
      → Merge to main
          → Build
          → Container scan
          → Sign artifacts
      → Deploy to staging
          → Integration tests
          → Security tests
      → Deploy to production
          → Verification
          → Monitoring

Start Small, Iterate

Don't try to implement all 10 controls at once. Start with:

  • Secrets scanning — immediate, high-impact win

  • SCA — easy to enable, catches known vulnerabilities

  • Branch protection — basic hygiene


Then gradually add more controls as your team's security maturity grows.

Need Help?

Implementing pipeline security can be complex. If you want expert help setting up a secure CI/CD pipeline without slowing down your team, let's talk.

Need Help With DevSecOps?

Our team can help you implement the practices discussed in this article. Let's talk about your specific needs.

Explore Our Services

Related Articles

DevSecOps

Secrets Management: From Hardcoded to Vault

A practical migration guide for moving from environment variables and config files to proper secrets management.

Back to all articles