Question 1

Is supply chain attack the only major risk in CI/CD pipelines?

Accepted Answer

No, the matrix emphasizes that supply-chain attacks are just one part of the attack surface. It details over 30 techniques across categories like Initial Access and Persistence, based on real-world experience from security teams.

Question 2

How to prevent credential dumping in CI/CD environments?

Accepted Answer

Mitigations include avoiding environment variables for credentials, using secret managers with network restrictions, and enabling audit logging. The Credential Access section specifies strategies like rotating credentials and security monitoring.

Question 3

MITRE ATT&CK vs this CI/CD threat matrix: what's the difference?

Accepted Answer

MITRE ATT&CK is a general adversary framework, while this matrix specializes in CI/CD pipelines, mapping techniques specific to components like Git repositories and CI services. It adapts ATT&CK's methodology but focuses on software delivery threats.

Question 4

How to secure GitHub Actions from configuration tampering?

Accepted Answer

The matrix recommends allowing only signed commits, disallowing config changes without review, and adding signatures to CI/CD configs. For GitHub Actions, this means securing .github/workflows files and enabling IP restrictions.

Question 5

What are the risks of using monorepos with CI/CD?

Accepted Answer

In monorepos, attackers might leverage shared credentials to access different folders. Mitigations include setting approvers per folder and isolating CI/CD environments, as noted in the Lateral Movement section.

Question 6

How to implement network restrictions for CI/CD pipelines?

Accepted Answer

Limit egress connections via proxies or IP restrictions for CI/CD components, and restrict network access to cloud APIs. The Execution techniques suggest this to prevent unauthorized data exfiltration.

Common Threat Matrix for CI/CD Pipeline

What is Common Threat Matrix for CI/CD Pipeline?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions