DevSecOps, Supply Chain and CI/CD

Domain overview

The important question is not just whether code is vulnerable at runtime. It is whether trust was already lost upstream in source control, build logic, artifact handling or release automation.

How to approach this surface

• Source access is only the beginning. The real question is what the pipeline can build, sign, publish or deploy without enough friction.
• Secrets in code, history, CI variables and runner disks are still common, but the bigger prize is often execution in the build environment itself.
• Package trust is social as much as technical. Namespace confusion, mirror trust, version drift and transitive dependencies all widen the attack surface.
• GitOps moves operational trust into declarative repos. That can be elegant, but it also means repo compromise becomes infrastructure compromise.
• Signing and provenance do not eliminate risk; they change where you have to attack. Key custody, workflow identity and attestation enforcement become the new pressure points.

Related certification and framework context

• OffSec Learning PathsCurrent paths that touch DevSecOps, secure development and cloud automation concerns.
• SLSA FrameworkSupply-chain maturity and build integrity framing.
• OpenSSFIndustry-wide secure supply-chain guidance and references.

Selected public references

• GitHub Actions Security HardeningWorkflow-token scope, runner trust and action-chain hardening.
• GitLab CI/CD SecurityPipeline security design and abuse surfaces.
• SigstoreSigning and provenance for modern software artifacts.
• CycloneDXSBOM standard and dependency transparency context.
• in-totoSoftware supply-chain integrity framework.
• OWASP Dependency-TrackDependency visibility and risk-tracking support.

Topic index