Recent cyberattacks leveraging weaknesses in continuous integration/continuous delivery (CI/CD) pipelines and developer tooling warrant a need for increased security of the developer infrastructure. Prominently, the Codecov supply-chain attack has alerted everyone against storing secrets in CI/CD environment variables, no matter how safe the environment might be.
By breaching a Bash uploader used by thousands of developers, Codecov attackers managed to siphon credentials, keys, and API tokens from customer environments, remained undetected for two months, and further, reportedly breached hundreds of restricted customer networks. Likewise, attacks on automation tools like Jenkins, GitHub Actions and cloud-native containerized environments have further prompted companies to explore and deploy effective defenses for these tools.
Below are some best practices to ensure your CI/CD pipelines remain secure.
1. Stop storing secrets in CI/CD environments
The reason behind the large success of Codecov supply-chain attack remains that the environment variables exfiltrated by the attackers contained hardcoded secrets including passwords, tokens, and keys. Because some of these credentials gave attackers access to the companies’ private GitHub repositories, further data exfiltration could occur from these private repos that contained data that should have remained confidential.