CI/CD security key takeaways:
  • CI/CD pipelines are high-value targets because they hold direct access to source code, production environments, and secrets throughout the software delivery process.

  • A complete CI/CD security strategy layers multiple controls across static application security testing, software composition analysis, dynamic testing, IaC scanning, and secrets management—each targeting a distinct class of risk.

  • Effective CI/CD security embeds controls into the pipeline by default, covering every stage from source commit through deployment with measures matched to that stage's attack surface.

  • Tools like Wiz Code integrate natively with CI/CD platforms like GitHub Actions, GitLab CI, and Jenkins to surface exploitable risks in context without requiring teams to leave their existing workflows.

What is CI/CD security, and why does it matter?

CI/CD, short for continuous integration and continuous delivery (or deployment), is the automated pipeline that builds, tests, and ships code to production. CI/CD security protects the systems, processes, and artifacts that pipeline depends on: source code repositories, build artifacts, deployment environments, and secrets. It differs from general DevSecOps by focusing on the pipeline itself as an attack surface, not just the applications running on top of it.

Because pipelines hold privileged access to your entire development ecosystem, they are prime targets for attackers. A single breach can distribute malicious code downstream, cause data breaches, or disrupt services. Consequently, modern CI/CD security prioritizes risks based on actual exploitability and production impact rather than raw scan volume.

According to Wiz's State of Code Security Report 2025, 35% of enterprises run non-ephemeral self-hosted runners with weaker configurations, exposing organizations to lateral movement attacks across repositories and cloud environments.

CI/CD Best Practices [Cheat Sheet]

This comprehensive guide provides you with actionable best practices to mitigate CI/CD security risks.

Pipeline elements that attackers target

Each element below represents a distinct attack surface with its own exposure profile. In practice, the risk any one element poses depends heavily on how it connects to sensitive assets, identities, and runtime environments:

  • Source code repositories store and version all production code, making them the entry point for code injection and credential theft.

  • Build servers and workers compile source code into executable artifacts, and a compromised build environment poisons every artifact that follows.

  • Artifact repositories hold build outputs awaiting deployment. Attackers tamper with these outputs, often through dependency confusion or typosquatting, to propagate malicious code downstream without triggering rescanning.

  • Deployment environments are where applications run, and weak security controls here give attackers direct access to production systems.

  • CI runners (such as GitHub-hosted runners) are often over-privileged and under-monitored, making them a reliable pivot point for lateral movement across code repositories.

  • Orchestration tools (such as ArgoCD or Spinnaker) manage infrastructure deployments and, when exploited, allow attackers to push malicious changes directly into production.

What are the components of CI/CD security?

A complete CI/CD security strategy relies on several integrated scanning and control layers, each targeting a different class of risk in your application security program.

ComponentPipeline stageWhat it does
Static application security testing (SAST)Code / Build (CI)Analyzes source code for vulnerabilities like SQL injection and insecure coding patterns before compilation
Software composition analysis (SCA)Build (CI)Scans open-source dependencies for known vulnerabilities and license compliance issues
Dynamic application security testing (DAST)Test / Staging (CD)Detects runtime vulnerabilities in running applications that static analysis misses
IaC scanningBuild / Pre-deploy (CI)Evaluates Terraform, CloudFormation, and similar infrastructure as code definitions for misconfigurations before deployment
Container security scanningBuild / RegistryExamines container images for vulnerabilities, malware, and misconfigurations
Secrets managementAll stagesCovers secure storage, access, and rotation of API keys, passwords, and credentials throughout the pipeline
Catch code risks before you deploy

Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.

For information about how Wiz handles your personal data, please see our Privacy Policy.

Challenges in CI/CD security

Understanding where CI/CD pipelines break down is the starting point for any effective appsec program. The OWASP Top 10 CI/CD Security Risks provides a methodology for identifying the highest-impact vulnerabilities in pipeline environments. Here are five of the most relevant:

  • Insufficient flow control occurs when pipelines lack mandatory review or approval steps, allowing attackers with limited unauthorized access to push code directly to production. Without branch protection rules and required approvals on version control systems, a single compromised account opens the path to a full pipeline takeover.

  • Inadequate identity and access management gives pipeline identities, both human accounts and service accounts, broader permissions than their roles require. Excessive permissions mean a compromised runner or developer account can reach far more of the pipeline than it should, expanding the attack surface significantly.

  • Dependency chain abuse exploits the trust modern pipelines place in open-source packages. Attackers publish malicious versions of popular libraries or take over unmaintained packages, to then inject code that executes within legitimate build processes, making supply chain attacks particularly difficult to detect.

  • Poisoned pipeline execution involves injecting malicious code into the pipeline itself, typically by manipulating a build script, workflow file, or configuration that the pipeline consumes automatically. The XZ Utils backdoor discovered in 2024 demonstrated just how patient and sophisticated this class of attack can be: an attacker spent years building trust in an open-source project before inserting a backdoor targeting SSH on Linux systems.

  • Insufficient credential hygiene leaves long-lived tokens, hardcoded secrets, and unrotated API keys exposed across CI/CD environments. Wiz's State of Code Security Report 2025 found that 61% of organizations have secrets exposed in public repositories, including cloud credentials that attackers exploit to reach production infrastructure directly.

As engineering teams adopt AI coding assistants, these challenges gain a new dimension: autonomous agents with broad access to source code and internal APIs blur identity tracing and create CI/CD risks traditional tooling wasn't built to catch.

CI/CD security responsibilities by pipeline stage

Security responsibility in a CI/CD pipeline follows the shared responsibility model: your cloud provider manages physical infrastructure and core platform availability, but your organization owns the security posture of everything running on top.

The table below maps the primary security responsibilities at each stage.

Pipeline stagePrimary security responsibilityMost critical security controls
SourceProtect code integrity and accessBranch protection rules, mandatory code reviews, least-privilege repository access
BuildSecure the build environment and its inputsDependency scanning (SCA), artifact integrity validation, hardened build runners
TestValidate security before promotionSAST, DAST, IaC scanning, remediate security issues before code progression
DeployControl what reaches productionApproval gates, environment access controls, post-deployment anomaly monitoring

Effective security across these stages requires more than controls at every step. Teams need the ability to prioritize issues based on their downstream impact on real assets. A misconfiguration in a test environment carries a different risk than the same misconfiguration in a runner with production credentials attached. Context is what separates actionable security from alert noise.

Best practices and recommendations for CI/CD security

CI/CD security works best when it is embedded in the pipeline by default, not bolted on after the fact. The practices below reflect that principle and cover the most critical control areas for protecting your continuous integration and continuous delivery workflows.

1. Automating CI/CD security scans

Automated security scanning is essential for real-time vulnerability detection at the pace modern DevSecOps workflows demand. 

Integrating CD tools like SonarQube, Checkmarx, or Semgrep to trigger on every code commit closes the gap between change and security feedback, and it reduces the likelihood of releasing compromised code to production environments. These automated tests run consistently regardless of team size or release velocity, which removes human error from the detection layer entirely. Route alerts directly into developer workflows through Slack or your issue tracker so findings reach the people who can act on them immediately, without requiring a handoff to a separate security team.

2. Runtime monitoring and incident response

Extending your security posture beyond static scanning into runtime monitoring gives teams the visibility to detect security threats that only materialize after deployment. 

Connecting CI/CD pipeline logs and events to a security information and event management (SIEM) platform, such as Splunk or Datadog, enables real-time anomaly detection for events. For example: off-hours commits, unusual pipeline configurations, or atypical resource utilization. A CI/CD-specific incident response playbook documents the steps for isolating compromised components, rolling back suspicious deployments, and conducting forensic analysis. A well-maintained playbook shortens response time when an incident occurs and reduces reliance on improvised decisions under pressure.

3. Managing secrets effectively

Secrets sprawl ranks among the most consistently exploited weaknesses in CI/CD environments, and the consequences are severe since a single leaked cloud credential in a public repository can give an attacker direct access to production infrastructure. 

A dedicated secrets manager, like HashiCorp Vault, AWS Secrets Manager, or an equivalent, provides dynamic secrets, automated rotation, and detailed audit logs that protect sensitive information without manual intervention. Pre-commit hooks and secret scanning tools catch hardcoded credentials before they enter code repositories. Short-lived tokens, rotated on a regular schedule, reduce the window of opportunity for any leaked credentials to cause damage.

4. Implementing immutable infrastructure

Immutable infrastructure eliminates configuration drift and makes unauthorized changes detectable by design. 

When infrastructure as code definitions serve as the single source of truth for your deployment environments, any deviation from those definitions signals a potential security event worth investigating. IaC scanning for Terraform and CloudFormation catches misconfigurations before deployment, while container image pinning ensures production workloads run exactly what security teams have reviewed and approved.

Together, these practices transform infrastructure management into a secure, repeatable process that limits human error and strengthens your overall security posture.

5. Establishing RBAC

The principle of least privilege applies to every identity in the pipeline, human accounts and service accounts alike. Role-based access control (RBAC) at the pipeline level means scoping permissions tightly by role, separating deployment authority from approval authority, and auditing permissions regularly to remove access that no longer reflects current responsibilities. 

Automation accounts deserve particular scrutiny because they accumulate permissions over time and rarely receive the same review cadence as user accounts. Tying access reviews to role changes and offboarding processes closes that gap and keeps your authentication controls aligned with your actual team structure.

Strengthen your CI/CD security posture

2026 Latio Application Security Report

CI/CD security requires controls at every pipeline stage, from commit through deployment, with the ability to correlate findings across layers and prioritize what is actually exploitable in your environment. 

Wiz Code integrates natively with CI/CD platforms, including GitHub Actions, GitLab CI, and Jenkins to surface exploitable risks in context. This correlates IaC misconfigurations, code-level vulnerabilities, and cloud risk signals without requiring teams to leave their existing workflows. 

Get a demo to see how Wiz Code works in your environment. Or download the CI/CD Security Best Practices Cheat Sheet for a stage-by-stage reference to securing your pipeline.

Secure your workloads, from build-time to run-time

See why Wiz is one of the few cloud security platforms that security and devops teams both love to use.

For information about how Wiz handles your personal data, please see our Privacy Policy.


FAQs about CI/CD security

The questions below address the most common starting points for teams building or inheriting CI/CD security programs.