CI/CD Hardening Checklist

-

 



1. Workspace Trust & Input Safety (Highest Priority)

  • Never auto‑trust workspaces in CI

    • Require explicit trust configuration for any repo contents before loading configs or env files.
    • Mandatory for AI agents running in headless mode (e.g., Gemini CLI).

  • Treat forks, PRs, issues, and comments as untrusted

    • Especially dangerous when pipelines run on pull_request_target.
    • Never load .env, .gemini/, or agent config from untrusted inputs.

  • Block configuration discovery

    • Disable recursive discovery of agent configs unless explicitly allow‑listed.

2. AI Agent–Specific Controls (Gemini CLI, Claude Code, etc.)

  • Upgrade all agent tools

    • Gemini CLI ≥ 0.39.1
    • run-gemini-cli Action ≥ 0.1.22

  • Disable unrestricted execution modes

    • Avoid --yolo or equivalent autonomous modes.
    • If required, enforce strict command allowlists.

  • Separate “analysis” from “execution”

    • Let agents review or suggest changes.
    • Require a human gate or isolated job for command execution.

  • No agent runs with contributor‑level privileges

    • AI agents should never hold the same rights as a trusted developer.

3. Tool Allowlisting & Command Execution

  • Explicit command allowlists

    • Allow only exact binaries + arguments.
    • No wildcards (*, shell expansion, pipes).

  • Disable shell by default

    • Prefer structured tools over run_shell_command.

  • Fail closed

    • Any unknown or malformed command should hard‑fail the job.

4. Secrets & Credential Protection

  • Do not expose secrets to untrusted workflows

    • Especially on fork PRs and external contributions.

  • Use short‑lived, scoped credentials

    • Replace static tokens with OIDC or ephemeral secrets.

  • Automatic secret revocation

    • Rotate credentials after any compromised run or failed trust check.

5. Execution Environment Isolation

  • Ephemeral CI runners

    • Destroy runners after each job.
    • No shared disk or persistent state.

  • Network egress restrictions

    • Default‑deny outbound access.
    • Block data exfiltration paths.

  • Filesystem sandboxing

    • Read‑only source directories.
    • Writable temp directories only.

6. Dependency & Action Supply‑Chain Security

  • Pin all GitHub Actions

    • Use SHA commits, not tags.

  • Enable Dependabot / Renovate

    • Monitor toolchain and agent dependencies for security advisories.

  • Review AI agent updates as breaking changes

    • Treat behavior changes (trust, sandboxing) as security‑impacting.

7. Pipeline Logic & Permissions

  • Principle of least privilege

    • Separate jobs for:
      • Lint / analysis
      • Build
      • Deployment
      • Agent activity

  • No deployment from untrusted branches

    • Require protected branches + manual approval.

  • Explicit environment protection rules

    • Require reviewers for prod‑level secrets.

8. Logging, Detection & Audit

  • Log every executed command

    • Include AI‑initiated commands.

  • Preserve artifacts for forensic review

    • Capture workspace snapshots for suspicious runs.

  • Alert on abnormal behavior

    • Unexpected network calls
    • Config discovery
    • Shell execution attempts

9. Incident Readiness

  • Pre‑define a CI incident playbook

    • Credential rotation
    • Runner teardown
    • Repository lock‑down

  • Assume compromise if RCE occurs

    • Treat CI runners as fully breached.

10. Governance & Policy

  • Document agent trust policy

    • When agents may execute
    • What inputs are considered safe

  • Train developers

    • AI agents are code execution systems, not just chat assistants.

Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more