CI/CD SECURITY GUIDE FOR GITHUB ACTIONS | VIBEEVAL

CI/CD Is a Prime Attack Vector

GitHub Actions workflows often have access to production secrets and deployment permissions. AI-generated workflows frequently hardcode credentials, use unpinned actions, and grant excessive permissions, making them targets for supply chain attacks and credential theft.

GitHub Actions Security Checklist

Follow these 12 steps to secure your CI/CD pipeline. Critical items prevent credential theft and supply chain attacks.

Use GitHub Actions secrets

Store all sensitive values in encrypted GitHub secrets instead of hardcoding in workflow YAML files.

Pin action versions to SHA

Reference third-party actions by commit SHA instead of tags to prevent supply chain attacks from compromised actions.

Restrict workflow permissions

Set minimum required permissions for GITHUB_TOKEN and avoid using secrets.GITHUB_TOKEN with write access unnecessarily.

Enable branch protection

Require status checks and reviews before merging to prevent malicious workflow changes from bypassing security.

Audit third-party actions

Review all community actions for security issues and prefer official actions or verified publishers.

Prevent secret logging

Ensure workflow scripts do not accidentally print environment variables or secrets in CI/CD logs.

Use environment protection rules

Configure required reviewers for production deployments and restrict which branches can deploy.

Enable dependency scanning

Use Dependabot and GitHub security scanning to detect vulnerable dependencies in your CI/CD pipeline.

Implement OIDC for cloud access

Use OpenID Connect instead of long-lived cloud credentials for AWS, Azure, or GCP deployments.

Review workflow run logs

Regularly audit CI/CD logs for suspicious activity, failed deployments, and unauthorized access attempts.

Separate dev and prod workflows

Use different workflows with different permissions for development and production deployments.

Enable workflow approval

Require manual approval for deployments to production environments to prevent accidental or malicious releases.

Common CI/CD Security Vulnerabilities

Secrets in Workflow Files

API keys and credentials hardcoded directly in .github/workflows YAML, visible to anyone with repository access.

Unpinned Action Versions

Using @main or @v1 tags for actions allows attackers to inject malicious code if the action is compromised.

Overpermissive GITHUB_TOKEN

Workflows granted write permissions to all scopes when they only need read access, enabling privilege escalation.

Secrets Printed in Logs

CI/CD scripts echo environment variables or run commands that leak secrets into publicly visible workflow logs.

Related Resources

Environment Variables Security

Secure secrets management in CI/CD pipelines

Vercel Security Guide

Secure Vercel deployments from GitHub Actions

Docker Security Basics

Secure container builds in CI/CD pipelines

Automated Security Testing

Integrate security scans into your pipeline

Audit Your CI/CD Workflows

VibeEval analyzes your GitHub Actions workflows to detect hardcoded secrets, unpinned actions, and overpermissive configurations. Secure your deployment pipeline before attackers exploit it.