The CI/CD Supply Chain Security Checklist (That Your Dev Team Will Actually Use)

The CircleCI breach exposed customer secrets through a stolen SSO session cookie. GitLab’s massive vulnerability, CVE-2024-9164 (CVSS 9.6), let attackers execute pipelines on any branch to access every configured secret. Travis CI exposed over 73,000 sensitive tokens through public build logs.

Your CI/CD pipeline deploys code while storing credentials that unlock your entire production infrastructure. When that pipeline is compromised, attackers inherit deployment permissions to every environment you’ve connected.

Most CI/CD security guidance either gathers dust as a theoretical checklist or creates complex implementations that developers simply bypass under deadline pressure.

This CI/CD security checklist provides 6 tactical security controls that eliminate real attack vectors without slowing down your deployments. Each control addresses vulnerabilities exploited in recent production breaches while maintaining the velocity your team needs.

1. Eliminate Pipeline Secrets

Long-lived tokens stored in CI/CD variables create persistent attack vectors. If you need secrets just to access your secret management system, you’ve created a recursive security problem with no clean solution.

Audit and Replace Static Credentials

• Audit Existing Credentials: Scan all pipeline variables for hardcoded credentials across your GitHub Actions workflows, GitLab CI/CD configurations, and Jenkins pipelines. 

Tools like GitGuardian and TruffleHog automate this, but a manual review of environment variables is still essential for full coverage.

• Replace with Federation (OIDC): OIDC federation allows platforms like GitHub Actions and GitLab CI/CD to authenticate directly to AWS, Azure, and GCP without storing long-lived tokens. 

Your pipeline receives a signed identity token from the CI/CD platform, exchanges it for temporary cloud credentials, and never touches a static API key.

Example (GitHub Actions to AWS): Configure AWS to trust the CI platform as an identity provider, then create an IAM role that validates the token’s subject claim matches your repository and branch. 

Your workflow requests an identity token, exchanges it for temporary AWS credentials, and proceeds with deployment – zero static secrets stored anywhere.

Implement Workload Identity Federation

Workload Identity Federation eliminates the bootstrap problem entirely. Workloads authenticate based on cryptographically verified environment attributes rather than stored secrets. No initial credential is required, there’s no secret rotation burden, and the persistent attack surface is gone.

You’re done when zero static credentials exist in pipeline configurations and every authentication uses identity-based access.

2. Secure Your Dependencies

Package repositories represent high-value targets for attackers. A single compromised dependency propagates to every pipeline that pulls it, turning your CI/CD system into a distribution mechanism for malicious code.

• Lock Dependency Versions with Checksums: Pin exact versions in your package manifests. Include checksums to verify package integrity during installation. This prevents accidental updates and protects against tampering during transit.
• Enable Automated Vulnerability Scanning: Integrate scanning tools like Snyk, Dependabot, and Trivy directly into your pipelines. 

Fail builds immediately when critical vulnerabilities appear. Integrating scanning early gives developers instant feedback.

• Verify Package Signatures: Where available (e.g., npm, PyPI, Docker Content Trust), enable these verification mechanisms. This ensures packages come from trusted publishers and haven’t been modified.
• Pin Container Images by Digest: Never use mutable tags like latest or v1.2. Digests cryptographically identify specific image versions and prevent substitution attacks.

You’re done when all dependencies are locked, scanned, verified, and immutable.

3. Isolate Pipeline Access

A single compromised pipeline should never compromise your entire infrastructure. When pipelines share credentials across environments, an attack in development instantly becomes a production breach.

• Segregate Service Accounts per Environment: Your development pipeline needs dev permissions, not production access. Create completely separate identities for dev, staging, and production deployments with no credential overlap.
• Apply Least Privilege to Pipeline Permissions: Start with zero permissions and add only what each pipeline absolutely requires. Your Kubernetes deployment pipeline needs pod deployment permissions, not cluster admin rights.
• Require Approvals for Production Deployments: Manual approval gates create a checkpoint for security and reliability before production changes. Automated deployments enable velocity in dev; controlled deployments ensure stability in prod.
• Isolate Sensitive Pipelines from Broad Network Access: Pipelines handling production deployments or sensitive data should run in restricted network segments with explicit allowlists. This limits an attacker’s lateral movement if the runner is compromised.

You’re done when each environment has isolated, minimal permissions and production access requires explicit approval.

4. Secure Runtime Authentication

Your CI/CD pipeline authenticates with elevated permissions to deploy applications, but deployed applications should not inherit those same broad permissions. Applications often use the same long-lived secrets for service-to-service communication that created the pipeline vulnerability in the first place.

• Implement Workload Identity for Deployed Applications: Applications should authenticate based on their runtime environment (Kubernetes ServiceAccounts, AWS IAM roles for EC2, Azure managed identities) rather than stored credentials. 

The platform verifies identity cryptographically without requiring any secrets.

• Use Short-Lived, Just-in-Time Credentials: Use these for all service access. Replace static database passwords with temporary tokens that expire after use. Generate API keys on-demand. The shorter the credential lifetime, the smaller the window for exploitation.
• Authenticate API Calls with Service-Specific Tokens: When a microservice calls an API, it should present a token scoped to that specific interaction, not a broad, shared credential. Policy-based access control determines exactly what each workload can access.
• Replace Database Passwords with Identity-Based Authentication: Use cloud database features that support IAM authentication. This allows applications to connect using their workload identity instead of a stored password, eliminating a major source of leaks.

You’re done when no long-lived credentials exist in running applications and every service-to-service call uses identity-based authentication.

5. Monitor Pipeline Security Events

Pipeline compromises frequently go undetected because security teams treat CI/CD as development infrastructure rather than a production attack surface. By the time you discover an incident, attackers have likely already moved laterally.

• Log All Authentication Events and Credential Requests: Every pipeline execution, credential issuance, and permission grant must generate an audit log with full context. Capture who requested access, what identity they presented, which policy applied, and whether access was granted or denied.
• Alert on Unusual Pipeline Execution Patterns: A pipeline executing outside business hours, deploying to unexpected environments, or requesting credentials it’s never used before signals potential compromise. Establish baselines for normal behavior and trigger alerts immediately on deviations.
• Integrate Pipeline Logs with SIEM Systems: CI/CD security events must feed directly into your organization’s broader security monitoring. Correlating pipeline activity with other security signals reveals attack patterns that individual events might miss.
• Document Incident Response Procedures: Create specific procedures for pipeline compromise. Define which credentials to rotate immediately, which deployments to roll back, and which teams to notify. Have these answers prepared before you need them.

You’re done when you have complete visibility into pipeline security events and automated alerting on suspicious activity.

6. Make Security Seamless

Complex security measures get bypassed when a deadline looms. Developers will always choose the path of least resistance – if the secure option creates friction, the insecure option wins.

• Automate Security Scans in Pipeline Execution: Vulnerability scanning, dependency verification, and policy checks should happen automatically on every commit. Developers receive immediate feedback without manual intervention, and insecure code never reaches production.
• Provide Clear, Actionable Error Messages:  “Authentication failed” tells developers nothing useful. “Pipeline requires OIDC federation – add these three lines to your workflow configuration” gives them a solution. Security failures should include remediation steps, not just rejection notices.
• Create Self-Service Security Tools: Integrate these directly into developer workflows. Automated, policy-based access with built-in guardrails enables developer autonomy without security risk.

You’re done when the secure path requires less effort than insecure alternatives and developers choose security by default.

Implement Timeline 

Week 1: Audit and Configure Federation

Audit all pipeline credentials using your cloud provider’s CLI tools. Configure OIDC trust relationships between your CI platform and cloud providers – this typically takes 2-3 hours per cloud environment.

Expected outcome: Complete inventory of static credentials and functioning OIDC federation for at least one pipeline.

Week 2: Lock Down Dependencies and Monitoring

Replace remaining service account keys with identity-based authentication. Generate and commit lockfiles for all projects, then configure CI to reject builds that don’t verify checksums. Implement centralized logging for pipeline security events.

Expected outcome: All builds enforcing cryptographic verification and security events flowing to your SIEM.

Week 3: Deploy Runtime Identity and Response Procedures

Implement workload identity for your highest-risk production workloads first. Separate deployment service accounts from runtime service accounts in all environments. Document incident response procedures.

Expected outcome: Production workloads receiving credentials with sub-hour TTLs, zero long-lived credentials in application configuration, and documented response procedures ready for execution.

The Secretless Evolution

Traditional approaches focus on managing secrets better by rotating them faster and storing them more securely.  The next evolution eliminates them entirely through environment-based attestation and just-in-time access.

Modern Workload IAM platforms authenticate applications based on the runtime environment rather than stored secrets. This removes the attack vector completely while improving developer experience. Applications never handle credentials. They present cryptographically verified identity, receive temporary access based on policy, and never store anything that could leak.Aembit’s Workload IAM platform implements the secretless authentication patterns described here, with no-code deployment across AWS, Azure, GCP, and SaaS platforms. The path forward starts with treating workload identity as fundamental infrastructure, not an authentication afterthought.