This community-led framework identifies the most critical security risks inherent in Continuous Integration and Continuous Deployment (CI/CD) ecosystems, which have become prime targets for supply chain attacks. It provides a structured hierarchy of vulnerabilities, ranging from Insufficient Flow Control Mechanisms (allowing single-actor code pushes) to Poisoned Pipeline Execution (PPE) and Dependency Chain Abuse. From a cybersecurity perspective, the document is essential for DevSecOps and Software Supply Chain Security, as it addresses high-impact topics such as Inadequate Identity and Access Management (IAM), Credential Hygiene (preventing secret leaks in build logs), and Artifact Integrity Validation. By offering specific recommendations for hardening build servers and version control systems, the guide helps organizations defend against sophisticated threats like those seen in the SolarWinds and Codecov breaches, ensuring that automated delivery pipelines do not become a “backdoor” into production environments.
Home / Function (NIST CSF 2.0) / PR - Protect / PS - Platform / SoFa
OWASP Top 10 CI/CD Security Risks
This document focuses on:CI/CD