How to Secure Your CI/CD Pipeline Before It's Used Against You

The Build Pipeline Is the New Attack Surface

In April 2026, attackers compromised Bitwarden's official CLI package—not by modifying source code, but by infiltrating the build pipeline itself. The malicious code executed during installation, silently exfiltrating credentials before anyone noticed.

This attack pattern is becoming increasingly common. Modern applications depend on hundreds of packages from sources developers never verify. A single compromised dependency can cascade through thousands of downstream projects.

Why Pipelines Became Prime Targets

The Bitwarden attack exploited a preinstall hook—code that runs automatically during package installation. The malicious payload harvested:

• GitHub tokens
• npm credentials
• SSH keys
• Cloud provider access keys

The Jaguar Land Rover breach followed similar supply chain compromise patterns, ultimately costing £1.9 billion in damages and lost production.

The lesson is clear: your CI/CD pipeline is only as secure as its weakest dependency.

The 7-Step Pipeline Security Checklist

1. Generate a Software Bill of Materials (SBOM)

Every release needs a complete inventory of what's inside. An SBOM lists every package, version, and transitive dependency—essential for rapid response when vulnerabilities emerge.

Recommended tools:

• Syft - Open source, fast, supports multiple formats
• CycloneDX - OWASP standard, wide ecosystem support
• GitHub Advanced Security - Built-in for GitHub repos

Store SBOMs alongside release artifacts. When the next Log4j hits, you'll know within minutes which builds are affected.

2. Pin Dependencies and Verify Lock Files

Most teams pin direct dependencies but allow transitive dependencies to float—a critical gap attackers exploit.

Required lock files:

• package-lock.json (npm)
• poetry.lock (Python)
• go.sum (Go)
• Pipfile.lock (Pipenv)

Your CI must verify lock files haven't changed unexpectedly:

# npm
npm ci --ignore-scripts

# Python
poetry install --no-root

# Go
go mod verify

When lock files change, review the diff carefully before merging.

3. Eliminate Long-Lived Credentials

Static API keys and tokens sitting in CI secrets are ticking time bombs. Replace them with OIDC federation.

Cloud provider OIDC support:

• AWS: Configure GitHub Actions as an OIDC provider
• Azure: Use federated credentials with managed identities
• GCP: Workload identity federation

Each pipeline job gets fresh, narrowly-scoped credentials that expire automatically. No more leaked keys with months of validity.

4. Scan Secrets at Commit Time

Catching credentials before they enter the repository prevents painful git history rewrites.

Pre-commit scanning tools:

• GitGuardian - Comprehensive, low false positives
• TruffleHog - Open source, regex + ML detection
• GitHub Secret Scanning - Native integration

Configure both pre-commit hooks (developer machine) and pre-receive hooks (server-side enforcement).

5. Block Builds on Critical Vulnerabilities

Dependency scanners should enforce policy, not just report:

# Example: Snyk CI configuration
snyk test --severity-threshold=critical --fail-on=all

Recommended scanners:

• Snyk
• Dependabot
• OSV-Scanner

Create exception processes for genuine emergencies, but make blocking the default behaviour.

6. Use Ephemeral Build Environments

Every CI job must start fresh—no persisted state, no shared credentials, no leftover artefacts from previous builds.

Platforms with ephemeral runners by default:

• GitHub Actions (hosted runners)
• GitLab CI (shared runners)
• CircleCI (cloud)

If using self-hosted runners, ensure they're destroyed and recreated between jobs. Persistent runners accumulate secrets and attack surface.

7. Add South African PII Detection

Standard US-focused scanning tools miss SA-specific identifiers entirely. Your pipeline needs custom rules for:

• SA ID numbers (13-digit format with checksum)
• Passport numbers
• Local banking identifiers

This ensures POPIA compliance and catches exposures generic tools ignore.

Implementation Checklist

1. SBOM generation for every release
2. Lock files pinned and verified on each build
3. Short-lived OIDC credentials (not static keys)
4. Pre-commit and pre-receive secret scanning
5. Critical vulnerability blocking enabled
6. Ephemeral build environments only
7. SA-specific PII detection rules configured
8. Annual pipeline security review scheduled

Why This Matters for South African Teams

SA development teams increasingly export code through fintech, healthtech, and SaaS products. A pipeline compromise creates dual regulatory exposure:

• POPIA domestically
• GDPR, CCPA, or sector regulations internationally

Beyond compliance, reputation damage from a supply chain attack can end customer relationships permanently.

How LockedCyber Can Help

Our DevSecOps team specialises in pipeline security:

• SBOM implementation across your build infrastructure
• OIDC credential workflows for major cloud providers
• Secret scanning with SA-specific detection rules
• Pipeline penetration testing to find weaknesses before attackers do

Ready to secure your pipeline? Our Ethical Hacking service tests your entire software delivery chain, while CISO in a Box provides governance oversight to maintain security posture long-term.