Skip to main content

Module 12: Secure CI/CD Pipelines Slides

Slide walkthrough for Module 12 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Harden GitHub Actions,...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Secure CI/CD Pipelines - Harden GitHub Actions, protect secrets, isolate pipelines, and implement secure deployment workflows
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - A compromised CI/CD pipeline is the fastest path from attacker to production. Securing the pipeline secures the entire d
  4. CI/CD Threat Vectors - Lesson section from the full module
  5. Hardening GitHub Actions - Lesson section from the full module
  6. Real-World Use Cases - Hardening GitHub Actions for production deployments, OIDC-based cloud authentication (zero static secrets)
  7. Common Mistakes to Avoid - 4 mistakes covered
  8. Hands-On Labs - 2 hands-on labs
  9. Key Takeaways - 5 points to remember

Learning Objectives

  • Identify CI/CD threat vectors
  • Harden GitHub Actions workflows
  • Implement pipeline isolation and secret scanning
  • Deploy securely with signed artifacts and workload identity

Why This Module Matters

A compromised CI/CD pipeline is the fastest path from attacker to production. Securing the pipeline secures the entire delivery chain — from source code to running workload.

Common Mistakes

  • Using permissions: write-all in workflows
  • Storing cloud credentials as repository secrets instead of OIDC
  • Not scanning for leaked secrets before they reach the main branch
  • Using unpinned action versions (uses: actions/checkout@main instead of SHA)

Key Takeaways

  • CI/CD pipelines are high-value targets — they have production access
  • Use minimal permissions on every workflow — never write when read is enough
  • Pin all third-party actions to specific commit SHAs
  • Use OIDC for cloud authentication — eliminate all static secrets from CI
  • Sign every artifact in CI, verify every artifact before deploying

Hands-On Labs

  1. Harden a GitHub Actions Workflow

    Apply security best practices to a CI/CD pipeline.

    30 min - Intermediate

    • Audit an insecure workflow (over-permissioned, unpinned actions)
    • Add minimal permissions, pin action versions to SHA
    • Add secret scanning with gitleaks
    • Configure OIDC for deployment (eliminate static secrets)

    View lab files on GitHub

  2. Implement Secure Deployment Pipeline

    Build a pipeline that signs, scans, and deploys with verification.

    35 min - Advanced

    • Build and sign images with Cosign in CI
    • Generate SBOM and scan for CVEs
    • Configure admission controller to reject unsigned images
    • Deploy using OIDC workload identity (zero static secrets)

    View lab files on GitHub

Read the full module | Back to course curriculum