What is CI/CD security, and why does it matter?
CI/CD, short for continuous integration and continuous delivery (or deployment), is the automated pipeline that builds, tests, and ships code to production. CI/CD security protects the systems, processes, and artifacts that pipeline depends on: source code repositories, build artifacts, deployment environments, and secrets. It differs from general DevSecOps by focusing on the pipeline itself as an attack surface, not just the applications running on top of it.
Because pipelines hold privileged access to your entire development ecosystem, they are prime targets for attackers. A single breach can distribute malicious code downstream, cause data breaches, or disrupt services. Consequently, modern CI/CD security prioritizes risks based on actual exploitability and production impact rather than raw scan volume.
According to Wiz's State of Code Security Report 2025, 35% of enterprises run non-ephemeral self-hosted runners with weaker configurations, exposing organizations to lateral movement attacks across repositories and cloud environments.
CI/CD Best Practices [Cheat Sheet]
This comprehensive guide provides you with actionable best practices to mitigate CI/CD security risks.

Pipeline elements that attackers target
Each element below represents a distinct attack surface with its own exposure profile. In practice, the risk any one element poses depends heavily on how it connects to sensitive assets, identities, and runtime environments:
Source code repositories store and version all production code, making them the entry point for code injection and credential theft.
Build servers and workers compile source code into executable artifacts, and a compromised build environment poisons every artifact that follows.
Artifact repositories hold build outputs awaiting deployment. Attackers tamper with these outputs, often through dependency confusion or typosquatting, to propagate malicious code downstream without triggering rescanning.
Deployment environments are where applications run, and weak security controls here give attackers direct access to production systems.
CI runners (such as GitHub-hosted runners) are often over-privileged and under-monitored, making them a reliable pivot point for lateral movement across code repositories.
Orchestration tools (such as ArgoCD or Spinnaker) manage infrastructure deployments and, when exploited, allow attackers to push malicious changes directly into production.
What are the components of CI/CD security?
A complete CI/CD security strategy relies on several integrated scanning and control layers, each targeting a different class of risk in your application security program.
| Component | Pipeline stage | What it does |
|---|---|---|
| Static application security testing (SAST) | Code / Build (CI) | Analyzes source code for vulnerabilities like SQL injection and insecure coding patterns before compilation |
| Software composition analysis (SCA) | Build (CI) | Scans open-source dependencies for known vulnerabilities and license compliance issues |
| Dynamic application security testing (DAST) | Test / Staging (CD) | Detects runtime vulnerabilities in running applications that static analysis misses |
| IaC scanning | Build / Pre-deploy (CI) | Evaluates Terraform, CloudFormation, and similar infrastructure as code definitions for misconfigurations before deployment |
| Container security scanning | Build / Registry | Examines container images for vulnerabilities, malware, and misconfigurations |
| Secrets management | All stages | Covers secure storage, access, and rotation of API keys, passwords, and credentials throughout the pipeline |
Catch code risks before you deploy
Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.

Challenges in CI/CD security
Understanding where CI/CD pipelines break down is the starting point for any effective appsec program. The OWASP Top 10 CI/CD Security Risks provides a methodology for identifying the highest-impact vulnerabilities in pipeline environments. Here are five of the most relevant:
Insufficient flow control occurs when pipelines lack mandatory review or approval steps, allowing attackers with limited unauthorized access to push code directly to production. Without branch protection rules and required approvals on version control systems, a single compromised account opens the path to a full pipeline takeover.
Inadequate identity and access management gives pipeline identities, both human accounts and service accounts, broader permissions than their roles require. Excessive permissions mean a compromised runner or developer account can reach far more of the pipeline than it should, expanding the attack surface significantly.
Dependency chain abuse exploits the trust modern pipelines place in open-source packages. Attackers publish malicious versions of popular libraries or take over unmaintained packages, to then inject code that executes within legitimate build processes, making supply chain attacks particularly difficult to detect.
Poisoned pipeline execution involves injecting malicious code into the pipeline itself, typically by manipulating a build script, workflow file, or configuration that the pipeline consumes automatically. The XZ Utils backdoor discovered in 2024 demonstrated just how patient and sophisticated this class of attack can be: an attacker spent years building trust in an open-source project before inserting a backdoor targeting SSH on Linux systems.
Insufficient credential hygiene leaves long-lived tokens, hardcoded secrets, and unrotated API keys exposed across CI/CD environments. Wiz's State of Code Security Report 2025 found that 61% of organizations have secrets exposed in public repositories, including cloud credentials that attackers exploit to reach production infrastructure directly.
As engineering teams adopt AI coding assistants, these challenges gain a new dimension: autonomous agents with broad access to source code and internal APIs blur identity tracing and create CI/CD risks traditional tooling wasn't built to catch.
CI/CD security responsibilities by pipeline stage
Security responsibility in a CI/CD pipeline follows the shared responsibility model: your cloud provider manages physical infrastructure and core platform availability, but your organization owns the security posture of everything running on top.
The table below maps the primary security responsibilities at each stage.
| Pipeline stage | Primary security responsibility | Most critical security controls |
|---|---|---|
| Source | Protect code integrity and access | Branch protection rules, mandatory code reviews, least-privilege repository access |
| Build | Secure the build environment and its inputs | Dependency scanning (SCA), artifact integrity validation, hardened build runners |
| Test | Validate security before promotion | SAST, DAST, IaC scanning, remediate security issues before code progression |
| Deploy | Control what reaches production | Approval gates, environment access controls, post-deployment anomaly monitoring |
Effective security across these stages requires more than controls at every step. Teams need the ability to prioritize issues based on their downstream impact on real assets. A misconfiguration in a test environment carries a different risk than the same misconfiguration in a runner with production credentials attached. Context is what separates actionable security from alert noise.
Best practices and recommendations for CI/CD security
CI/CD security works best when it is embedded in the pipeline by default, not bolted on after the fact. The practices below reflect that principle and cover the most critical control areas for protecting your continuous integration and continuous delivery workflows.
1. Automating CI/CD security scans
Automated security scanning is essential for real-time vulnerability detection at the pace modern DevSecOps workflows demand.
Integrating CD tools like SonarQube, Checkmarx, or Semgrep to trigger on every code commit closes the gap between change and security feedback, and it reduces the likelihood of releasing compromised code to production environments. These automated tests run consistently regardless of team size or release velocity, which removes human error from the detection layer entirely. Route alerts directly into developer workflows through Slack or your issue tracker so findings reach the people who can act on them immediately, without requiring a handoff to a separate security team.
2. Runtime monitoring and incident response
Extending your security posture beyond static scanning into runtime monitoring gives teams the visibility to detect security threats that only materialize after deployment.
Connecting CI/CD pipeline logs and events to a security information and event management (SIEM) platform, such as Splunk or Datadog, enables real-time anomaly detection for events. For example: off-hours commits, unusual pipeline configurations, or atypical resource utilization. A CI/CD-specific incident response playbook documents the steps for isolating compromised components, rolling back suspicious deployments, and conducting forensic analysis. A well-maintained playbook shortens response time when an incident occurs and reduces reliance on improvised decisions under pressure.
3. Managing secrets effectively
Secrets sprawl ranks among the most consistently exploited weaknesses in CI/CD environments, and the consequences are severe since a single leaked cloud credential in a public repository can give an attacker direct access to production infrastructure.
A dedicated secrets manager, like HashiCorp Vault, AWS Secrets Manager, or an equivalent, provides dynamic secrets, automated rotation, and detailed audit logs that protect sensitive information without manual intervention. Pre-commit hooks and secret scanning tools catch hardcoded credentials before they enter code repositories. Short-lived tokens, rotated on a regular schedule, reduce the window of opportunity for any leaked credentials to cause damage.
4. Implementing immutable infrastructure
Immutable infrastructure eliminates configuration drift and makes unauthorized changes detectable by design.
When infrastructure as code definitions serve as the single source of truth for your deployment environments, any deviation from those definitions signals a potential security event worth investigating. IaC scanning for Terraform and CloudFormation catches misconfigurations before deployment, while container image pinning ensures production workloads run exactly what security teams have reviewed and approved.
Together, these practices transform infrastructure management into a secure, repeatable process that limits human error and strengthens your overall security posture.
5. Establishing RBAC
The principle of least privilege applies to every identity in the pipeline, human accounts and service accounts alike. Role-based access control (RBAC) at the pipeline level means scoping permissions tightly by role, separating deployment authority from approval authority, and auditing permissions regularly to remove access that no longer reflects current responsibilities.
Automation accounts deserve particular scrutiny because they accumulate permissions over time and rarely receive the same review cadence as user accounts. Tying access reviews to role changes and offboarding processes closes that gap and keeps your authentication controls aligned with your actual team structure.
Strengthen your CI/CD security posture
CI/CD security requires controls at every pipeline stage, from commit through deployment, with the ability to correlate findings across layers and prioritize what is actually exploitable in your environment.
Wiz Code integrates natively with CI/CD platforms, including GitHub Actions, GitLab CI, and Jenkins to surface exploitable risks in context. This correlates IaC misconfigurations, code-level vulnerabilities, and cloud risk signals without requiring teams to leave their existing workflows.
Get a demo to see how Wiz Code works in your environment. Or download the CI/CD Security Best Practices Cheat Sheet for a stage-by-stage reference to securing your pipeline.
Secure your workloads, from build-time to run-time
See why Wiz is one of the few cloud security platforms that security and devops teams both love to use.
FAQs about CI/CD security
The questions below address the most common starting points for teams building or inheriting CI/CD security programs.