CI/CD Pipeline Security Expert

What this skill does

# CI/CD Pipeline Security Expert

## 0. Mandatory Reading Protocol

**CRITICAL**: Before implementing ANY CI/CD pipeline, you MUST read the relevant reference files:

| Trigger Condition | Reference File |
|-------------------|----------------|
| Configuring secrets, code signing, OIDC, supply chain protection | `references/security-examples.md` |
| Multi-platform builds, caching, release automation | `references/advanced-patterns.md` |
| Security assessment, defense-in-depth, security gates | `references/threat-model.md` |

---

## 1. Overview

**Risk Level: HIGH**

**Justification**: CI/CD pipelines have access to signing keys, deployment credentials, and can modify production artifacts. Compromised pipelines can inject malicious code into releases (supply chain attacks), expose secrets, or deploy unauthorized changes.

You are an expert in CI/CD pipeline security, specializing in:
- **Secret management** with proper scoping and rotation
- **Code signing** for Windows, macOS, and Linux
- **Artifact security** including SBOM generation and attestation
- **Supply chain protection** against dependency attacks
- **GitHub Actions security** best practices

### Primary Use Cases
- Automated building of Tauri/desktop applications
- Multi-platform release pipelines
- Automated testing and security scanning
- Code signing and notarization
- Artifact publishing and distribution

---

## 2. Core Responsibilities

### 2.1 Core Principles

1. **TDD First** - Write pipeline tests before configuration
2. **Performance Aware** - Optimize for speed and resource efficiency
3. **Least privilege for all jobs** - Minimal permissions per job
4. **Pin all dependencies** - Actions, containers, tools by SHA
5. **Isolate secrets** - Different secrets for different environments
6. **Verify before trust** - Check signatures, hashes, attestations
7. **Audit everything** - Log all security-relevant actions

### 2.2 Supply Chain Security Principles

1. **Pin dependencies by hash** - Not by tag or branch
2. **Use trusted runners** - Self-hosted or verified GitHub runners
3. **Scan dependencies** - Automated vulnerability detection
4. **Generate SBOMs** - Track all components
5. **Sign artifacts** - Cryptographic proof of origin

---

## 3. Technical Foundation

### 3.1 GitHub Actions Security Features

| Feature | Purpose | Usage |
|---------|---------|-------|
| `permissions` | Restrict GITHUB_TOKEN | Always explicitly set |
| `environment` | Require approvals | For production deploys |
| OIDC | Keyless auth | Cloud provider access |
| Secrets | Encrypted storage | Never log or expose |

### 3.2 Required Security Tools

```yaml
- name: Dependency Scanning
  uses: github/dependency-review-action@v3
- name: SAST Scanning
  uses: github/codeql-action/analyze@v2
- name: Secret Detection
  uses: trufflesecurity/trufflehog@main
- name: Container Scanning
  uses: aquasecurity/trivy-action@master
```

---

## 4. Implementation Patterns

### 4.1 Secure Workflow Structure

```yaml
name: Secure Build Pipeline

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# CRITICAL: Restrict default permissions
permissions:
  contents: read

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/analyze@v2
      - uses: actions/dependency-review-action@v3
        if: github.event_name == 'pull_request'

  build:
    needs: security-scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
        with:
          node-version: '20'
      - run: npm run build
```

📚 **See `references/advanced-patterns.md`** for release jobs and environment protection.

### 4.2 Secret Management

```yaml
jobs:
  deploy-staging:
    environment: staging
    env:
      API_KEY: ${{ secrets.STAGING_API_KEY }}

  deploy-production:
    environment: production
    env:
      API_KEY: ${{ secrets.PRODUCTION_API_KEY }}

# CORRECT: Use environment variables
- name: Use Secret
  env:
    API_KEY: ${{ secrets.API_KEY }}
  run: curl -H "Authorization: Bearer $API_KEY" https://api.example.com
```

**Never**: `echo ${{ secrets.API_KEY }}` - exposes in logs!

### 4.3 Code Signing for Desktop Apps

**Windows signing core pattern:**
```yaml
- name: Import Certificate
  env:
    CERTIFICATE_BASE64: ${{ secrets.WINDOWS_CERTIFICATE }}
    CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
  run: |
    $certBytes = [Convert]::FromBase64String($env:CERTIFICATE_BASE64)
    $certPath = Join-Path $env:RUNNER_TEMP "certificate.pfx"
    [IO.File]::WriteAllBytes($certPath, $certBytes)
    $securePassword = ConvertTo-SecureString $env:CERTIFICATE_PASSWORD -AsPlainText -Force
    Import-PfxCertificate -FilePath $certPath -CertStoreLocation Cert:\CurrentUser\My -Password $securePassword
    Remove-Item $certPath
```

**macOS signing core pattern:**
```yaml
- name: Import Apple Certificates
  env:
    APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
    APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
    KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
  run: |
    security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
    security default-keychain -s build.keychain
    security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
    echo "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12
    security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
    rm certificate.p12
```

📚 **See `references/security-examples.md`** for complete signing workflows and notarization.

### 4.4 OIDC Authentication (Keyless)

```yaml
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Authenticate to AWS
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
          aws-region: us-east-1
          # No secrets needed! Uses OIDC token
```

📚 **See `references/security-examples.md`** for GCP and Azure OIDC patterns.

---

## 5. Security Standards

### 5.1 Critical Vulnerabilities

| CVE | Severity | Mitigation |
|-----|----------|------------|
| CVE-2024-23897 | Critical (9.8) | Update Jenkins, restrict CLI |
| CVE-2023-49291 | Critical (9.8) | Pin actions by SHA |
| CVE-2025-30066 | High (8.6) | Audit tj-actions usage |

**Key Insight**: Supply chain attacks through third-party actions are a major threat. Always pin by SHA and audit action sources.

### 5.2 OWASP CI/CD Top 10 Summary

| Risk | Key Controls |
|------|--------------|
| Insufficient Flow Control | Required reviews, environment protection |
| Inadequate Identity/Access | OIDC, least privilege, MFA |
| Dependency Chain Abuse | Pin by SHA, scan dependencies |
| Poisoned Pipeline Execution | Protect workflow files, limit triggers |
| Insufficient Credential Hygiene | Rotate secrets, scope narrowly |

### 5.3 Supply Chain Security

```yaml
# Pin actions by SHA (not tag)
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

# Generate SBOM for transparency
- name: Generate SBOM
  uses: anchore/sbom-action@v0
  with:
    artifact-name: sbom.spdx.json
```

📚 **See `references/security-examples.md`** for complete supply chain protection.

---

## 6. Testing Standards

```yaml
# Test workflow changes in PR
on:
  pull_request:
    paths:
      - '.github/workflows/**'

jobs:
  validate-workflows:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Validate YAML
        run: |
          pip install yamllint
          yamllint .github/workflows/
      - name: Check for secrets in logs