Quick Links & Suggestions
Press Enter to search site, Esc to exit
↑↓ Navigate

How do you secure a CI/CD pipeline from supply chain attacks?

Hard Topic: CI/CD May 24, 2026

Supply chain attacks (like SolarWinds, XZ Utils) target the build pipeline itself. Defense layers:

  1. Pin action versions: Use commit SHA, not floating tags like @v2. uses: actions/checkout@abc123
  2. SBOM generation: Generate a Software Bill of Materials at build time using Syft.
  3. Image signing: Sign images with Cosign (Sigstore). Verify signatures before deployment.
  4. Least privilege: GitHub Actions tokens should have minimal permissions. Set permissions: read-all by default.
  5. Dependency review: Use Dependabot or Renovate for automated dependency updates.
← Previous How do you implement secret management in a... Next → What is the difference between a Blue/Green deployment...

Practice Similar Questions

What is the purpose of a staging environment and what...
Medium
How do you handle database migrations in a CI/CD pipeline...
Medium
How do you implement a multi-environment deployment pipeline (dev →...
Hard
Back to CI/CD Topics