← Back to Deployment Resources

    CI/CD Security Guide

    Comprehensive guide to securing GitHub Actions workflows for AI-generated applications. Learn best practices for secrets management, action pinning, and preventing supply chain attacks in your deployment pipeline.

    CI/CD Is a Prime Attack Vector

    GitHub Actions workflows often have access to production secrets and deployment permissions. AI-generated workflows frequently hardcode credentials, use unpinned actions, and grant excessive permissions, making them targets for supply chain attacks and credential theft.

    GitHub Actions Security Checklist

    Follow these 12 steps to secure your CI/CD pipeline. Critical items prevent credential theft and supply chain attacks.

    Step 1

    Use GitHub Actions secrets

    Critical

    Store all sensitive values in encrypted GitHub secrets instead of hardcoding in workflow YAML files.

    Step 2

    Pin action versions to SHA

    Critical

    Reference third-party actions by commit SHA instead of tags to prevent supply chain attacks from compromised actions.

    Step 3

    Restrict workflow permissions

    Critical

    Set minimum required permissions for GITHUB_TOKEN and avoid using secrets.GITHUB_TOKEN with write access unnecessarily.

    Step 4

    Enable branch protection

    Critical

    Require status checks and reviews before merging to prevent malicious workflow changes from bypassing security.

    Step 5

    Audit third-party actions

    Critical

    Review all community actions for security issues and prefer official actions or verified publishers.

    Step 6

    Prevent secret logging

    Critical

    Ensure workflow scripts do not accidentally print environment variables or secrets in CI/CD logs.

    Step 7

    Use environment protection rules

    Configure required reviewers for production deployments and restrict which branches can deploy.

    Step 8

    Enable dependency scanning

    Use Dependabot and GitHub security scanning to detect vulnerable dependencies in your CI/CD pipeline.

    Step 9

    Implement OIDC for cloud access

    Use OpenID Connect instead of long-lived cloud credentials for AWS, Azure, or GCP deployments.

    Step 10

    Review workflow run logs

    Regularly audit CI/CD logs for suspicious activity, failed deployments, and unauthorized access attempts.

    Step 11

    Separate dev and prod workflows

    Use different workflows with different permissions for development and production deployments.

    Step 12

    Enable workflow approval

    Require manual approval for deployments to production environments to prevent accidental or malicious releases.

    Common CI/CD Security Vulnerabilities

    Secrets in Workflow Files

    Critical

    API keys and credentials hardcoded directly in .github/workflows YAML, visible to anyone with repository access.

    Unpinned Action Versions

    Critical

    Using @main or @v1 tags for actions allows attackers to inject malicious code if the action is compromised.

    Overpermissive GITHUB_TOKEN

    High

    Workflows granted write permissions to all scopes when they only need read access, enabling privilege escalation.

    Secrets Printed in Logs

    High

    CI/CD scripts echo environment variables or run commands that leak secrets into publicly visible workflow logs.

    Related Resources

    Environment Variables Security

    Secure secrets management in CI/CD pipelines

    Vercel Security Guide

    Secure Vercel deployments from GitHub Actions

    Docker Security Basics

    Secure container builds in CI/CD pipelines

    Automated Security Testing

    Integrate security scans into your pipeline

    Audit Your CI/CD Workflows

    VibeEval analyzes your GitHub Actions workflows to detect hardcoded secrets, unpinned actions, and overpermissive configurations. Secure your deployment pipeline before attackers exploit it.

    Start Free Security Scan