Profile Applicability:
Level 1
Description:
Automated scanners must be deployed to analyze CI pipeline configuration files and instructions to detect security misconfigurations, secrets exposure, insecure scripts, or policy violations. Securing CI pipeline instructions helps prevent introduction of vulnerabilities and enforces secure build and deployment practices.
Rationale:
CI pipelines are critical automation tools that, if misconfigured or compromised, can introduce security risks into the software delivery process. Scanning pipeline instructions reduces the risk of exposing secrets, running unsafe code, or bypassing security controls, thus strengthening overall software supply chain security.
Impact:
Pros:
Identifies security flaws in CI/CD configurations early.
Prevents leakage of secrets and credentials.
Ensures adherence to security policies and best practices.
Enhances overall software delivery security posture.
Cons:
Requires integration of scanning tools into CI workflows.
May need periodic tuning to reduce false positives.
Default value:
Many CI pipelines lack automated security scanning of their configurations by default.
Audit:
Review scan reports and logs for CI pipeline configuration analyses. Verify remediation of identified issues. Confirm that scanning is integrated and active in all relevant CI pipelines.
Remediation:
Integrate security scanning tools (e.g., Checkov, GitLab CI Lint, or custom scripts) into CI workflows. Establish policies requiring pipeline security validation. Train DevOps and development teams on secure CI pipeline design.
References:
Checkov Infrastructure as Code Scanner: https://www.checkov.io/
GitLab CI/CD Lint Documentation: https://docs.gitlab.com/ee/ci/lint.html
CIS Controls v8, Control 16 - Application Software Security: https://www.cisecurity.org/controls/application-software-security/