CI/CD Cybersecurity SIG from The Continuous Delivery Foundation
The CI/CD Cybersecurity SIG will play a pivotal role in advancing CI/CD security and supporting organizations in meeting modern cybersecurity demands. With focused efforts on integration frameworks, best practices, and emerging tooling, this SIG will address the critical need to embed security into every stage of the CI/CD pipeline, ensuring a resilient and secure software development lifecycle.
The mission of the SIG is to identify open-source security tools that seamlessly integrate into various stages of the CI/CD pipeline, enhancing cybersecurity throughout the software development lifecycle with speed and efficiency. As vulnerabilities continue to rise, it’s crucial to evolve pipelines with robust security measures that establish stronger safeguards, protecting software from costly and devastating cyber breaches.
Continuous Delivery Foundation (CDF) serves as the vendor-neutral home of many of the fastest-growing projects for continuous integration/continuous delivery (CI/CD). It fosters vendor-neutral collaboration between the industry’s top developers, end users and vendors to further CI/CD practices and industry specifications. Its mission is to grow and sustain projects that are part of the broad and growing continuous delivery ecosystem. The CDF is part of the Linux Foundation home to both the CNCF and OpenSSF.
The Phases of CI/CD where Security is Needed
Post Deploy
Building security into Post Deploy steps such as testing, SBOM generation, and continuous vulnerabiity management.
Who Does CI/CD Cybersecurity Help?
As CEO
“Identifying vulnerabilities early in the CI/CD process isn’t just about security—it’s about efficiency. It saves time, reduces costs, and prevents disruptions that can cripple a business. ”
As CEO
“Security is the foundation of customer trust. Integrating it into our CI/CD pipelines ensures we deliver not just great products, but also the peace of mind our customers deserve.”
As CEO
“The faster we innovate, the more important it is to secure our pipelines. Integrated security allows us to move quickly without cutting corners on safety.”
As CTO
“Incorporating security into CI/CD pipelines isn’t just a best practice—it’s a competitive advantage. It allows us to deliver secure, reliable products faster than anyone else in the market.”
As CTO
“As a leader, it’s my responsibility to ensure our development processes are not only efficient but also secure. Integrating security into CI/CD reflects our commitment to excellence at every stage.”
As CTO
“Cyber threats evolve constantly. By embedding security into our CI/CD pipelines, we stay one step ahead, proactively safeguarding our products, customers, and reputation”
As a Product Manager
“I strive to balance speed with quality. Security in CI/CD ensures we can release quickly without sacrificing the integrity of our product.”
As a Delivery Manager
“By embedding security into the CI/CD process, we eliminate last-minute bottlenecks and streamline delivery, allowing us to keep pace with the market while staying secure.”
As a DevOps Engineer
“DevOps is about delivering value quickly and safely. Integrating security into CI/CD pipelines ensures we achieve both, without compromise.”
As CISO
“Meeting regulatory standards is non-negotiable, and integrating security into CI/CD pipelines ensures we maintain compliance while staying agile and innovative.”
As Production Control
“Integrating security into CI/CD pipelines helps us deliver stable, secure releases, minimizing disruptions in production and ensuring smooth operations.”
As a Software Developer
“I need security in the pipeline because software dependencies are so complex that I cannot prevent every vulnerability from getting through even with the best development practices.”
Get Involved in the SIG
Join the SIG and bring your knowledge to build cybersecurity into CI/CD workflows.
- Join the GitHub Repository - Add your name to the Read.me.
- Add yourself to the Mailing List - Signup to be notified of meetings and events.
- Join the CDF Slack Channel - Join the CDF Slack Channel and the sig-cicd-cybersecurity thread for daily information.
- Attend a Meetup or Event - Join or start a Meetup in your local area. Bring this discussion to a Jenkins Meetups. Submit a talk at other Linux Foundation events.
Learn About CI/CD Cybersecurity
Explore the information based on what you want to learn:
- Phase One: Code and PreBuild - Tools and practices for adding security to repos, code and prebuild CI/CD steps
- Phase Two: Build and Deploy - Tools and practices for adding security to your build and deploy CI/CD steps. your team’s current state.
- Phase Three: Post Deploy - Tools and practices for adding security to your post deploy CI/CD steps for continuous vulnerability management and control.