Your CI/CD pipeline has everything an attacker wants: access to source code, production credentials, deployment permissions, and the ability to push code that runs on every user's device. It's the most privileged system in your organisation, and it's often the least secured. In 2024-2025, pipeline compromises became one of the fastest-growing attack vectors, with incidents at SolarWinds, Codecov, and dozens of open-source projects demonstrating the devastating impact.
Why Pipelines Are High-Value Targets
A compromised CI/CD pipeline provides:
- Code injection at the source: Malicious code inserted during the build process ships to every customer, signed with your legitimate certificates.
- Credential access: Pipelines store database passwords, API keys, cloud credentials, and signing certificates as environment variables or secrets.
- Persistent access: Build system compromises persist across deployments. Every build runs the attacker's code, even as the application code changes.
- Trust exploitation: Code that comes from your official build pipeline passes integrity checks, code signing validation, and update mechanisms that would block externally modified binaries.
Attack Vectors Against Pipelines
The SolarWinds attack — where attackers spent months inside the build system injecting a backdoor into Orion updates distributed to 18,000 organisations — was the watershed moment. But the attack vectors are varied:
- Compromised dependencies: A malicious package pulled during the build process executes arbitrary code. This runs with the pipeline's full permissions.
- Poisoned build caches: Build caches shared across pipelines can be poisoned to inject code into unrelated projects.
- Leaked pipeline secrets: CI/CD configurations committed to repositories, build logs containing credentials, or overly permissive secret access.
- Pull request exploitation: In many configurations, a pull request from a fork triggers CI/CD execution. An attacker can submit a PR that modifies the build script to exfiltrate secrets.
The Codecov Incident: A Case Study
In 2021, attackers compromised Codecov's bash uploader script — a tool executed in thousands of CI/CD pipelines worldwide. For two months, every pipeline that ran the compromised script sent its environment variables (containing credentials and tokens) to an attacker-controlled server.
The attack was elegant: the modified script still performed its normal function (uploading coverage reports), so no tests failed and no builds broke. The exfiltration was a single extra curl command buried in the script. Companies using the compromised script unknowingly leaked production credentials for months.
The Configuration as Code Problem
CI/CD pipeline definitions are typically stored in the repository itself — .github/workflows/, .gitlab-ci.yml, Jenkinsfile. This is good for version control but means anyone with write access to the repository can modify the pipeline. A compromised developer account or a malicious insider can alter the build process to inject backdoors, exfiltrate secrets, or modify deployment targets.
Secrets in the Pipeline
Pipelines accumulate secrets over time: deployment keys, API tokens, signing certificates, database credentials. Common misconfigurations include:
- Secrets available to all pipeline steps when only the deployment step needs them
- Secrets accessible from pull request builds (which can be triggered by external contributors)
- Secrets printed in build logs through environment variable expansion or debugging output
- Production secrets used in non-production pipelines
ShieldReport helps you assess the external footprint of your deployed applications — the output of your CI/CD pipeline — ensuring that what's deployed to production meets security configuration standards regardless of how it got there.