How do I secure secrets in CI/CD pipelines?

Never hardcode secrets in code or config files. Use your CI/CD platform's secret management (GitHub Secrets, GitLab CI Variables). Better yet, use OIDC for cloud authentication to eliminate stored credentials.

What is the difference between SAST and DAST?

SAST (Static Application Security Testing) analyzes source code without running it. DAST (Dynamic Application Security Testing) tests running applications. Use both for comprehensive coverage.

Why should I pin GitHub Actions to SHA?

Pinning actions to commit SHAs prevents supply chain attacks. Tags can be moved to point to malicious code, but SHAs are immutable. Use actions/checkout@b4ffde65f46... instead of @v4.

What is build provenance and why does it matter?

Build provenance is cryptographic evidence of where an artifact came from. It enables verification that artifacts weren't tampered with. Generate provenance using SLSA GitHub generator or sigstore/cosign.

How do I implement least privilege in CI/CD?

Set permissions: {} at the workflow level to disable all permissions, then grant only what's needed per job. Use environment-specific credentials and avoid admin tokens in pipelines.

Home/Tools/Assessment/CI/CD Security Checklist

CI/CD Security Checklist

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading CI/CD Security Checklist...

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk Assessment Explore vCISO Services

Frequently Asked Questions

Common questions about the CI/CD Security Checklist

SLSA (Supply-chain Levels for Software Artifacts) is a security framework for protecting software supply chains. It defines four levels of increasing security guarantees, from basic build provenance (L1) to hermetic, reproducible builds (L4).

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.