This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
CI/CD Security Guide
Securing your Continuous Integration and Continuous Deployment (CI/CD) pipeline is no longer optional—it’s essential. This guide is your go-to resource for building, implementing, and optimizing secure CI/CD workflows. Whether you’re a developer, DevOps engineer, or security professional, we provide information on the open-source tools and guidance you need to model security at every stage of your pipeline. From securing code and builds to monitoring post-deployment environments, our hub empowers teams to integrate security seamlessly into their workflows without sacrificing speed or agility. Explore, learn, and transform your CI/CD processes into a fortress of innovation and resilience.
Why this Guide
This guide helps DevOps engineers build security-compliant CI/CD pipelines by mapping new open-source automation tools to evolving security frameworks. As security standards evolve, pipeline updates are essential to ensure safer software development. This guide explores the intersection of security tooling and the CI/CD pipeline, identifying key security practices, tools, and strategies that align with accepted frameworks such as the Secure Software Development Framework and the NIST Cybersecurity Framework. This guide aligns framework-defined tasks with open-source tools to accomplish them.
This CI/CD Cybersecurity Guide has been segmented into three 3 major chapters:
- CI/CD Code and Prebuild - this section includes security tooling for the earliest points in the CI/CD workflow.
- CI/CD Build and Deploy - this section covers security tooling for both the build step and deployment step, regardless of where the deployment is occurring (test or production).
- CI/CD Post Deploy - security does not stop after the binaries have been deployed. This section covers continuous vulnerability management and Dynamic Application Security Testing (DAST).
For more information on Security Frameworks or Public Security Policy, visit the OpenSSF Public Policy or EU Cybersecurity Resilience Act pages.
You can also learn about the OpenSSF Open Source Manifesto to help along the journey.
Compliance Goals
Compliance Policies and Practices are being defined across both public and private sectors. Specifically, the US Executive Order (EO) on Improving the Nation’s Cybersecurity and the EU Cyber Resilience Act (CRA) aim to define how to manage threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements. These frameworks cover the complete software development process, from design through ongoing monitoring of production software assets.
The inclusion of security tooling in the Continuous Integration and Continuous Deployment (CI/CD) pipeline is one crucial area where policy and practices can be implemented and automated. With the rapid pace of development and deployment in modern DevOps environments, security must be seamlessly embedded into each phase of the pipeline to protect applications and data from vulnerabilities and attacks.This is the new job of the DevOps team. This guide is intended to help the DevOps teams easily navigate the new frameworks and understand the tooling needed to achieve the stated compliance goals.
1 - Phase 1: Code and Prebuild
Security Compliance for Code and Prebuild
Introduction
Integrating security into every stage of the Software Development Life Cycle (SDLC) is more critical than ever. The code and prebuild stage is foundational to creating secure, reliable, and high-performing applications. Failing to address vulnerabilities early can lead to costly fixes, data breaches, and reputational damage down the line.
This section provides a comprehensive guide to the essential security tools that developers and DevOps teams should use during the code and prebuild phase to ensure vulnerabilities are identified and mitigated before they can cause harm. From Static Application Security Testing (SAST) to dependency scanning and secure CI/CD pipelines, the right tools can help you adopt a proactive approach to software security while maintaining development velocity. Following are guidelines from industry frameworks with suggested open source tooling needed to achieve the compliance goals.
1.1 - Secure Software Development Framework
Secure Software Development Framework and Code/Prebuild CI/CD Steps
Achieving Code and Prebuild Tasks of the Secure Software Development Framework
The Secure Software Development Framework, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive approach to ensuring security across the software development process, from initial design through deployment and maintenance. The framework outlines key practices and guidelines that organizations can implement to secure their software development lifecycle (SDLC), with a particular emphasis on integrating security into automated processes. This chapter focuses specifically on DevSecOps tooling and practices related to Code and Prebuild actions of the CI/CD pipeline to achieve:
|
|
| Prepare the Organization (PO) |
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects. |
| Protect the Software (PS) |
Organizations should protect all components of their software from tampering and unauthorized access. |
| Produce Well-Secured Software (PW) |
Organizations should produce well-secured software with minimal security vulnerabilities in its releases. |
| Respond to Vulnerabilities (RV) |
Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future. |
1.1.1 - Protect the Organization (PO)
Protect the Organization (PO) CI/CD Steps
Protect the Organization (PO)
PO.3 Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
Open-Source Tools to Achieve:
Workflow Framework
1.1.2 - Protect the Software (PS)
Protect the Software (PS) CI/CD Steps
Protect the Software (PS)
PS.1.1 Store all forms of code
PS.1.1: Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.
Open-Source Tools to Achieve:
Source Repositories
1.1.3 - Produce Well-Secured Software (PW)
Produce Well-Secured Software (PW) CI/CD Steps
Produce Well-Secured Software (PW)
PW.4.1 Acquire and Maintain Well-secured Software
Ensure safe use of components (e.g., software libraries, modules, middleware, frameworks) from commercial, open-source, and other third-party developers for use by the organization’s software. Implement a Software Bill of Materials (SBOM) scan to obtain provenance information for each software component. Establish one or more software repositories to host sanctioned and vetted open-source components.
Open-Source Tools to Achieve:
SBOM Generation and Attestation Tools:
Binary Repositories:
Git Commit Signing:
Repo Security Scanning
PW.7 Review and/or Analyze Human-Readable Code
Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human-readable.
Open-Source Tools to Achieve:
1.1.4 - Respond to Vulnerabilites
Respond to Vulnerabilities (RV) CI/CD Steps
Respond to Vulnerabilities (RV)
Task: Identify and Respond to Vulnerabilities
How to Achieve: Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.
RV.1 Identify and Confirm Vulnerabilities on an Ongoing Basis
Open-Source Tools to Achieve:
Identify Vulnerabilities
Static Application Security Testing (SAST):
Dynamic Application Security Testing (DAST):
Software Composition Analysis (SCA):
RV.2 Assess, Prioritize, and Remediate Vulnerabilities
RV.3 Identify Root Cause and help to reduce frequency of vulnerabilities in the future
2 - Phase 2: Build and Deploy
Security Compliance for Build and Deploy
Introduction
As software moves from development to production, the build and deploy stages play a pivotal role in maintaining the integrity, security, and provenance of your application. These phases involve compiling, packaging, and preparing your application for its live environment, making them prime targets for supply chain attacks, unauthorized modifications, and hidden vulnerabilities.
Integrating security into these phases ensures that your code is not only functional but also safeguarded against threats. From dynamic analysis during builds to automated scans for container security and misconfigurations, the right tools can help identify risks before deployment. Moreover, secure deployment pipelines prevent unauthorized changes, enforce compliance, and enable safe rollouts. Compliance for Build and Deploy steps include:
|
|
| Reproducible and Deterministic Builds |
Ensure that software artifacts can be independently verified and reproduced to prevent tampering. |
| Automated Threat Detection and Compliance Enforcement |
Integrate continuous security analysis to detect misconfigurations, vulnerabilities, and unauthorized dependencies before deployment. |
| Policy-Enforced Deployments |
Enforce verifiable security policies ensuring only compliant, attested software reaches production. |
| Trusted Execution Environments (TEEs) |
Secure build environments against tampering using hardware-backed execution environments. |
| Cryptographic Attestation |
Use digital signatures and cryptographic proofs to verify the authenticity and integrity of builds and deployments. |
Following are guidelines from industry frameworks with suggested open source tooling needed to achieve the compliance goals.
2.1 - Secure Software Development Framework
Secure Software Development Framework and Build/Deploy CI/CD Steps
Achieving Build and Deploy Tasks of the Secure Software Development Framework
The Secure Software Development Framework, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive approach to ensuring security across the software development process, from initial design through deployment and maintenance. The framework outlines key practices and guidelines that organizations can implement to secure their software development lifecycle (SDLC), with a particular emphasis on integrating security into automated processes. This chapter focuses specifically on DevSecOps tooling and practices related to Build and Deploy actions of the CI/CD pipeline to achieve:
|
|
| Prepare the Organization (PO) |
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects. |
| Protect the Software (PS) |
Organizations should protect all components of their software from tampering and unauthorized access. |
| Produce Well-Secured Software (PW) |
Organizations should produce well-secured software with minimal security vulnerabilities in its releases. |
| Respond to Vulnerabilities (RV) |
Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future. |
2.1.1 - Protect the Organization (PO)
Protect the Organization (PO) CI/CD Steps
Protect the Organization (PO)
PO.3 Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
2.1.2 - Protect the Software (PS)
Protect the Software (PS) CI/CD Steps
Protect the Software (PS)
2.1.3 - Produce Well-Secured Software (PW)
Produce Well-Secured Software (PW) CI/CD Steps
Produce Well-Secured Software (PW)
A Software Bill of Materials (SBOM) provides visibility into software components, dependencies, and security risks**. When combined with attestation mechanisms, SBOMs enhance trust and traceability across the software supply chain.
Open Source Build Signing and Verification
Ensuring software artifacts remain authentic and unmodified** is essential for a trusted software supply chain**. The following tools provide cryptographic verification** to protect against supply chain attacks**.
Beyond open-source tools, a secure build and deploy pipeline relies on trusted execution environments, deterministic build systems, cryptographic verification, and policy-enforced deployment mechanisms. These technologies provide tamper-proof guarantees, verifiable attestations, and automated security policies to strengthen the software supply chain.
1. Reproducible and Deterministic Build Systems
Ensuring that software builds are reproducible enhances security by allowing independent verification of artifacts. These systems minimize non-determinism and ensure that a given input always produces the same output.
2. Trusted Execution Environments (TEEs) and Confidential Computing
Trusted Execution Environments (TEEs) provide hardware-backed isolation to secure the build process, key management, and code execution. These environments ensure confidentiality and integrity in the build and deploy process and can be found in major cloud providers.
3. Cryptographic Signing and Verification ensures authenticity, integrity, and provenance in the software supply chain.
4. Secure Build and Deployment Policies
Automated security policy enforcement in CI/CD pipelines ensures only verifiably secure software is built and deployed.
.
2.1.4 - Respond to Vulnerabilities (RV)
Respond to Vulnerabilities (RV) CI/CD Steps
Respond to Vulnerabilities (RV)
3 - Phase 3: Post Deploy
Security Compliance for Post Deployment
Introduction
The post-deploy stage of your software delivery pipeline is where your application is live and actively serving users. While much of the focus in DevSecOps is on securing code, builds, and deployments, ensuring robust security doesn’t end there. The post-deploy phase is critical for monitoring, maintaining, and adapting to new threats in real time.
This phase includes tools and practices for continuous monitoring, vulnerability patch management, and incident response. From runtime application self-protection (RASP) to real-time threat detection and log analysis, post-deploy security ensures your application remains secure, compliant, and reliable in production.
Following are guidelines from industry frameworks with suggested open source tooling needed to achieve the compliance goals.
3.1 - Secure Software Development Framework
Secure Software Development Framework Post Build CI/CD Steps
Achieving Post Deploy Tasks of the Secure Software Development Framework
The Secure Software Development Framework, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive approach to ensuring security across the software development process, from initial design through deployment and maintenance. The framework outlines key practices and guidelines that organizations can implement to secure their software development lifecycle (SDLC), with a particular emphasis on integrating security into automated processes. This chapter focuses specifically on DevSecOps tooling and practices related to Post Deploy actions of the CI/CD pipeline to achieve:
|
|
| Prepare the Organization (PO) |
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects. |
| Protect the Software (PS) |
Organizations should protect all components of their software from tampering and unauthorized access. |
| Produce Well-Secured Software (PW) |
Organizations should produce well-secured software with minimal security vulnerabilities in its releases. |
| Respond to Vulnerabilities (RV) |
Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future. |
3.1.1 - Protect the Organization (PO)
Protect the Organization (PO) CI/CD Steps
Protect the Organization (PO)
PO.3 Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
Open-Source Tools to Achieve:
3.1.2 - Protect the Software (PS)
Protect the Software (PS) CI/CD Steps
Protect the Software (PS)
Post Build Software Bill of Material Tools
DAST
Vulnerability Databases
Continuous Vulnerability Patch Management
Application Security Compliance Reporting
3.1.3 - Produce Well-Secured Software (PW)
Produce Well-Secured Software (PW) CI/CD Steps
Produce Well-Secured Software (PW)
3.1.4 - Respond to Vulnerabilities (RV)
Respond to Vulnerabilities (RV) CI/CD Steps
Respond to Vulnerabilities (RV)
Task: Identify and Respond to Vulnerabilities
How to Achieve: Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.
Open-Source Tools to Achieve: