Question 1

How can I use this repo to secure my Jenkins pipeline?

Accepted Answer

Review the 'Techniques' section for Jenkins-specific vulnerabilities, such as runner misconfigurations or plugin flaws, and check the 'Tools' section for frameworks like the Jenkins Attack Framework to simulate attacks and test your defenses.

Question 2

What are the top CI/CD attack methods right now?

Accepted Answer

Based on the catalog, dependency confusion, secrets leakage from misconfigured registries, and GitHub Actions cache poisoning are prominent, as highlighted in recent articles and case studies within the repository.

Question 3

Is Awesome CI/CD Attacks updated with new threats?

Accepted Answer

The repository includes resources from 2021 onward and is maintained on GitHub; you can monitor commit history or contribute to ensure it stays current, but it relies on community input rather than automated updates.

Question 4

How does this compare to the OWASP Top 10 for CI/CD?

Accepted Answer

OWASP provides a broad risk list with general categories, while Awesome CI/CD Attacks offers detailed techniques, real-world examples, and tool references, making it more actionable for hands-on security testing and research.

Question 5

How to start learning about CI/CD attacks if I'm new?

Accepted Answer

Begin with the 'Case Studies' to understand real incidents, then explore 'Techniques' for specific methods, but note that prior knowledge of CI/CD tools like GitHub Actions and basic security concepts is assumed for effective learning.

Question 6

Can I find tools for attacking Azure DevOps in this list?

Accepted Answer

Yes, the 'Tools' section includes ADOKit specifically for Azure DevOps, along with references to other frameworks, but be aware that setup and usage require technical expertise and proper authorization for testing.

CI/CD Attacks

What is CI/CD Attacks?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions