Skip to content

Security

Risks

CI/CD is the automation of most (if not all) process in your software lifecycle going from building to running the application in production. With so many things happening, attackers have a wide range of capabilities in case of a compromise:

  • introduce dubious components (i.e. backdoor) in the application,
  • leak (to the Internet) credentials granting access to internal services or infrastructures,
  • access said services or infrastructures,
  • impersonate an employee,
  • leak intellectual property,
  • ...

Every CI/CD job is executed inside a container image which contains various tools required by the job. When you are executing the job, you are trusting the people building the image and the tools.

In some cases, the image may have been corrupted by an attacker. This is what we call a supply chain attack. There are famous cases like the Codecov incident in which hackers managed to leak credentials from several services and cloud platforms.

Mitigations

Variables scoping

To prevent leakage, CI/CD variables has to be present only in jobs that need them. By example in the Maven template, only the mvn-sonar job actually needs the SONAR_TOKEN environment variable so others jobs (mvn-build, mvn-release...) should not access this secret.

You can find more info about how to protect your CI/CD variables in the official GitLab documentation.

Image selection

As much as we can, we try to select either official images (ex: Maven, Python), or at least images maintained by an active community. Each of those images can be freely overridden with the appropriate configuration variable to select fixed versions (more info here) or any alternative that would suit you more.

By default, to be continuous templates mostly use the latest tag from upstream images since it is a maintenance-less default that works for nearly everyone. However latest images are prone to supply chain attacks and are also likely to introduce breaking changes.

to be continuous is not responsible of any possible security issue from a default container image.

You should either :

  • use a fixed version tag : using the maven:3.9.1 instead of maven:latest make sure you stay on a specific version of tools
    • prefer official image with the least tools (prefer minimal size, Alpine distribution or even distro-less if you can find one suited to your needs), the more the image has, heavier is the risk
  • build and maintain your own image with a chosen version for each tools
    • use no or a minimal distribution
    • upgrade tools and important components regularly with safe updates
    • root-less image are best to prevent some container escalation vulnerabilities against your runner provider

Tip

Whenever building your own image or using an upstream image, you can use Renovate to watch updates for your tools, test the new version and integrate them seamlessly.

Vulnerability Reports (Trivy)

Warning

When reviewing vulnerabilities from containers, you have to consider the following principes :

  • containers are usually very short-lived in a CI/CD environment
  • no direct user access is possible
  • most job does not expose any exteral services (i.e. HTTP server) making attacks reliant on user interaction very hard if not impossible to exploit

In short, risks are often low in the CI/CD context but carefully reviewing vulnerabilities are an essential step to secure your pipeline.

Here are vulnerability reports for each default image used by to be continuous templates (generated every day):

Template Image Variable Default Image Vulnerabilities
AnsibleANSIBLE_IMAGEregistry.hub.docker.com/cytopia/ansible:latest-tools 3 Medium
AnsibleANSIBLE_LINT_IMAGEregistry.hub.docker.com/haxorof/ansible-lint:latest 2 Unknown
Amazon Web ServicesAWS_CLI_IMAGEregistry.hub.docker.com/amazon/aws-cli:latest
AzureAZURE_CLI_IMAGEmcr.microsoft.com/azure-cli:latest 4 Critical, 38 High, 20 Medium, 2 Low
BashBASH_BATS_IMAGEregistry.hub.docker.com/bats/bats:latest 18 Medium, 2 Low
BashBASH_SHELLCHECK_IMAGEregistry.hub.docker.com/koalaman/shellcheck-alpine:stable 18 Medium, 2 Low
BrunoBRU_IMAGEregistry.hub.docker.com/library/node:lts-alpine
Cloud FoundryCF_CLI_IMAGEregistry.hub.docker.com/governmentpaas/cf-cli 5 Critical, 18 High, 39 Medium, 2 Low
Cloud Native BuildpacksCNB_BUILDER_IMAGEregistry.hub.docker.com/paketobuildpacks/builder:base 137 Critical, 519 High, 1705 Medium, 3 Low
Cloud Native BuildpacksCNB_SKOPEO_IMAGEquay.io/skopeo/stable:latest
Cloud Native BuildpacksCNB_TRIVY_IMAGEregistry.hub.docker.com/aquasec/trivy:latest 11 Medium, 1 Low, 2 Unknown
CypressCYPRESS_IMAGEregistry.hub.docker.com/cypress/included:12.0.2 47 Critical, 626 High, 1596 Medium, 865 Low, 30 Unknown
dbtDBT_IMAGEregistry.hub.docker.com/library/python:latest 8 Critical, 67 High, 311 Medium, 533 Low, 7 Unknown
Docker ComposeDCMP_IMAGEregistry.hub.docker.com/library/docker:latest 1 Medium, 2 Unknown
DefectDojoDEFECTDOJO_BASE_IMAGEregistry.hub.docker.com/library/node:alpine3.11 1 Critical, 24 High, 4 Medium, 1 Low
Dependency TrackDEPTRACK_SBOM_SCANNER_IMAGEregistry.gitlab.com/to-be-continuous/tools/dt-sbom-scanner:latest 2 Unknown
DockerDOCKER_BUILDAH_IMAGEquay.io/buildah/stable:latest
DockerDOCKER_DIND_IMAGEregistry.hub.docker.com/library/docker:dind 1 Medium, 2 Unknown
DockerDOCKER_HADOLINT_IMAGEregistry.hub.docker.com/hadolint/hadolint:latest-alpine 8 High, 12 Medium
DockerDOCKER_IMAGEregistry.hub.docker.com/library/docker:latest 1 Medium, 2 Unknown
DockerDOCKER_KANIKO_IMAGEgcr.io/kaniko-project/executor:debug 2 Low
DockerDOCKER_SBOM_IMAGEregistry.hub.docker.com/anchore/syft:debug
DockerDOCKER_SKOPEO_IMAGEquay.io/skopeo/stable:latest
DockerDOCKER_TRIVY_IMAGEregistry.hub.docker.com/aquasec/trivy:latest 11 Medium, 1 Low, 2 Unknown
Google CloudGCP_CLI_IMAGEgcr.io/google.com/cloudsdktool/cloud-sdk:latest 15 Critical, 180 High, 603 Medium, 602 Low, 12 Unknown
GitleaksGITLEAKS_IMAGEregistry.hub.docker.com/zricethezav/gitleaks:latest 3 High, 19 Medium, 2 Low
GitLab PackageGLPKG_IMAGEregistry.hub.docker.com/curlimages/curl:latest 10 Medium
GoGO_CI_LINT_IMAGEregistry.hub.docker.com/golangci/golangci-lint:latest-alpine 1 Critical, 31 Medium, 2 Unknown
GoGO_IMAGEregistry.hub.docker.com/library/golang:bookworm 3 Critical, 39 High, 242 Medium, 256 Low, 5 Unknown
GoGO_SBOM_IMAGEregistry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest 20 Critical, 20 High, 59 Medium, 2 Low
GradleGRADLE_IMAGEregistry.hub.docker.com/library/gradle:latest 11 Medium, 72 Low
HelmfileHELMFILE_CLI_IMAGEghcr.io/helmfile/helmfile:latest 11 Critical, 43 High, 84 Medium, 1 Low
HelmHELM_CLI_IMAGEregistry.hub.docker.com/alpine/helm:latest 2 Medium, 4 Unknown
HelmHELM_KUBE_SCORE_IMAGEregistry.hub.docker.com/zegl/kube-score 8 Critical, 56 High, 96 Medium, 4 Low
HelmHELM_YAMLLINT_IMAGEregistry.hub.docker.com/cytopia/yamllint 6 High, 12 Medium
HurlHURL_IMAGEghcr.io/orange-opensource/hurl:latest 18 Medium, 2 Low
k6K6_IMAGEregistry.hub.docker.com/grafana/k6:latest 5 Medium
KubernetesK8S_KUBECTL_IMAGEregistry.hub.docker.com/bitnami/kubectl:latest 3 Critical, 19 High, 31 Medium, 91 Low
KubernetesK8S_KUBE_SCORE_IMAGEregistry.hub.docker.com/zegl/kube-score:latest 8 Critical, 56 High, 96 Medium, 4 Low
LighthouseLHCI_IMAGEregistry.hub.docker.com/cypress/browsers:latest 6 Critical, 37 High, 128 Medium, 232 Low, 23 Unknown
GNU MakeMAKE_IMAGEregistry.hub.docker.com/alpinelinux/build-base 2 Unknown
MavenMAVEN_IMAGEregistry.hub.docker.com/library/maven:latest 7 Medium, 38 Low
MkDocsMKD_IMAGEregistry.hub.docker.com/polinux/mkdocs:latest 1 Critical, 17 High, 40 Medium, 3 Low
MkDocsMKD_LYCHEE_IMAGEregistry.hub.docker.com/lycheeverse/lychee:latest 2 Critical, 20 High, 46 Medium, 73 Low
MobSFMOBSF_CLIENT_IMAGEregistry.hub.docker.com/badouralix/curl-jq 25 Medium, 2 Low
AngularNG_CLI_IMAGEregistry.hub.docker.com/trion/ng-cli-karma:latest 3 Critical, 51 High, 270 Medium, 355 Low, 5 Unknown
Node.jsNODE_IMAGEregistry.hub.docker.com/library/node:lts-alpine
Node.jsNODE_SEMGREP_IMAGEregistry.hub.docker.com/semgrep/semgrep:latest 8 High, 2 Medium, 1 Low, 4 Unknown
OpenShiftOS_CLI_IMAGEquay.io/openshift/origin-cli:latest 3 Critical, 29 High, 38 Medium, 10 Low
PHPPHP_IMAGEregistry.hub.docker.com/library/php:latest 1 Critical, 31 High, 237 Medium, 225 Low, 1 Unknown
PlaywrightPLAYWRIGHT_IMAGEmcr.microsoft.com/playwright:latest 116 Medium, 95 Low
PostmanPOSTMAN_IMAGEregistry.hub.docker.com/postman/newman:latest 3 High, 29 Medium, 3 Low
pre-commitPRE_COMMIT_IMAGEregistry.hub.docker.com/library/python:3-alpine
PuppeteerPUPPETEER_IMAGEghcr.io/puppeteer/puppeteer:latest 9 Critical, 252 High, 1495 Medium, 548 Low, 13 Unknown
PythonPYTHON_IMAGEregistry.hub.docker.com/library/python:3-slim 1 Critical, 7 High, 29 Medium, 67 Low
RenovateRENOVATE_IMAGEregistry.hub.docker.com/renovate/renovate:latest 1 Critical, 8 High, 623 Medium, 119 Low
Robot FrameworkROBOT_BASE_IMAGEregistry.hub.docker.com/ppodgorsek/robot-framework:latest
Source-to-ImageS2I_DIND_IMAGEregistry.hub.docker.com/library/docker:dind 1 Medium, 2 Unknown
Source-to-ImageS2I_SKOPEO_IMAGEquay.io/skopeo/stable:latest
S3 (Simple Storage Service)S3_CMD_IMAGEregistry.hub.docker.com/d3fk/s3cmd:latest 6 Medium
Scala/SBTSBT_IMAGEregistry.hub.docker.com/sbtscala/scala-sbt:17.0.2_1.6.2_3.1.3 46 Critical, 193 High, 243 Medium, 453 Low, 4 Unknown
Scala/SBTSBT_SBOM_IMAGEregistry.hub.docker.com/anchore/syft:debug
semantic-releaseSEMREL_IMAGEregistry.hub.docker.com/library/node:lts-slim 1 Critical, 1 High, 13 Medium, 57 Low
SonarQubeSONAR_SCANNER_IMAGEregistry.hub.docker.com/sonarsource/sonar-scanner-cli:latest 2 High, 24 Medium, 8 Low
SpectralSPECTRAL_IMAGEregistry.hub.docker.com/stoplight/spectral:latest 3 High, 28 Medium, 3 Low
SphinxSPHINX_IMAGEghcr.io/sphinx-doc/sphinx:latest 3 Critical, 17 High, 46 Medium, 161 Low
SphinxSPHINX_LYCHEE_IMAGEregistry.hub.docker.com/lycheeverse/lychee:latest 2 Critical, 20 High, 46 Medium, 73 Low
SQLFluff lintSQLFLUFF_IMAGEregistry.hub.docker.com/sqlfluff/sqlfluff:latest 2 Critical, 23 High, 48 Medium, 80 Low
Test SSLTESTSSL_IMAGEregistry.hub.docker.com/drwetter/testssl.sh:latest
TerraformTF_CHECKOV_IMAGEregistry.hub.docker.com/bridgecrew/checkov 3 Critical, 20 High, 31 Medium, 97 Low
TerraformTF_DOCS_IMAGEquay.io/terraform-docs/terraform-docs:edge 1 Critical, 14 Medium, 1 Low
TerraformTF_IMAGEregistry.hub.docker.com/hashicorp/terraform:latest 2 Unknown
TerraformTF_INFRACOST_IMAGEregistry.hub.docker.com/infracost/infracost 61 Critical, 699 High, 477 Medium, 20 Low
TerraformTF_PUBLISH_IMAGEregistry.hub.docker.com/curlimages/curl:latest 10 Medium
TerraformTF_TFLINT_IMAGEghcr.io/terraform-linters/tflint-bundle:latest 5 Critical, 27 High, 94 Medium, 2 Low
TerraformTF_TFSEC_IMAGEregistry.hub.docker.com/aquasec/tfsec-ci 1 Critical, 4 High, 13 Medium, 2 Unknown
TerraformTF_TRIVY_IMAGEregistry.hub.docker.com/aquasec/trivy 11 Medium, 1 Low, 2 Unknown