DevSecOps, Supply Chain and CI/CD

Domain overview

This domain covers Git secrets, pipeline abuse, artifact poisoning, runner compromise, package trust, SBOM and signing, GitOps, secure build systems, cloud automation and the attack paths that emerge when developers and deployment systems share too much trust. The useful question is never just "can I read the repo?" It is "what can this development and release path produce, sign, deploy or overwrite for me?"

How to approach this surface

• Source access is only the beginning. The real question is what the pipeline can build, sign, publish or deploy without enough friction.
• Secrets in code, history, CI variables and runner disks are still common, but the bigger prize is often execution in the build environment itself.
• Package trust is social as much as technical. Namespace confusion, mirror trust, version drift and transitive dependencies all widen the attack surface.
• GitOps moves operational trust into declarative repos. That can be elegant, but it also means repo compromise becomes infrastructure compromise.
• Signing and provenance do not eliminate risk; they change where you have to attack. Key custody, workflow identity and attestation enforcement become the new pressure points.

Related certification and framework context

• OffSec Learning PathsCurrent paths that touch DevSecOps, secure development and cloud automation concerns.
• SLSA FrameworkSupply-chain maturity and build integrity framing.
• OpenSSFIndustry-wide secure supply-chain guidance and references.

Curated public references

• GitHub Actions Security HardeningWorkflow-token scope, runner trust and action-chain hardening.
• GitLab CI/CD SecurityPipeline security design and abuse surfaces.
• SigstoreSigning and provenance for modern software artifacts.
• CycloneDXSBOM standard and dependency transparency context.
• in-totoSoftware supply-chain integrity framework.
• OWASP Dependency-TrackDependency visibility and risk-tracking support.

Brief index