Closed EbonyAdder closed 9 months ago
I think this is a fantastic idea!
Agreed, love the idea. Do you want to work on an outline?
Thanks for the feedback and sorry for the delay. Here is a rough outline:
Explain purpose of cheatsheet, scope, etc.
Although I assume the audience will be at least somewhat familar with CI/CD concepts, I think it would be beneficial to explcitly (but briefly) define what is meant by CI/CD in the context of this CS since different individuals may include different components within the umbrella "CI/CD" concept.
Will provide a high-level overview of how hackers can exploit CI/CD tools and processes, why CI/CD pipelines can be such an appealing target to attackers, and attack surface.
Will focus on secure configuration of repositroies and tools such Jenkins. Addresses issues raised in CICD-SEC-1, CICD-SEC-4, and CICD-SEC-7.
Will map primarily to CICD-SEC-2, CICD-SEC-5, and CICD-SEC-6.
Will map primarily to CICD-SEC3 and CICD-SEC-8.
Will map primarily to CICD-SEC-9.
Will map primarily to CICD-SEC-10
I like this direction 👍🏼
Nice. The next step is to create a draft PR and start working on it! That way others can review and add suggestions as you go.
What is the proposed Cheat Sheet about?
This cheatsheet would cover topics related to CI/CD security, including common vulnerabilities, potential impact, and mitigations.
What security issues are commonly encountered related to this area?
Secrets (mis)management, access control, misconfiguration, lack of monitoring and visibility, lack of integrity validation,etc.
What is the objective of the Cheat Sheet?
The objective of this cheatsheet is to highlight common security risks in CI/CD processes and technologies and provide recommended responses to reduce risks.
What other resources exist in this area?
Please let me know if you need more details. I haven't put together an outline of example content yet, but can do so if there is sufficient interest.