CI/CD Security

Your pipeline is code execution infrastructure. Most teams treat it like configuration. We find the gap between those two assumptions.

What we review

Pipeline configuration — script injection, untrusted input, third-party action pinning

Secrets exposure — plaintext secrets in logs, environment bleed, misconfigured masking

OIDC trust chains — GitHub Actions, GCP Workload Identity Federation, token scope

Dependency confusion — internal package naming, registry priority, typosquatting risk

Supply chain integrity — SLSA level assessment, artifact provenance, signing

Access controls — branch protection, required reviewers, environment approval gates

Self-hosted runners — isolation, network access, persistence risks

Container build — base image trust, layer provenance, registry authentication

GitHub ActionsGitLab CICircleCIBuildkiteJenkinsTektonArgoCD

1–2 weeks

We review your current architecture, identify systemic risks, and deliver a prioritized findings report with remediation guidance.

2–6 weeks

Scoped engagement targeting a specific system, migration, or launch. Includes technical review, active testing, and a final debrief.

Ongoing

On-call security expertise. We review PRs, consult on new designs, respond to incidents, and run quarterly health checks.