Security¶
Risks¶
CI/CD is the automation of most (if not all) process in your software lifecycle going from building to running the application in production. With so many things happening, attackers have a wide range of capabilities in case of a compromise:
- introduce dubious components (i.e. backdoor) in the application,
- leak (to the Internet) credentials granting access to internal services or infrastructures,
- access said services or infrastructures,
- impersonate an employee,
- leak intellectual property,
- ...
Every CI/CD job is executed inside a container image which contains various tools required by the job. When you are executing the job, you are trusting the people building the image and the tools.
In some cases, the image may have been corrupted by an attacker. This is what we call a supply chain attack. There are famous cases like the Codecov incident in which hackers managed to leak credentials from several services and cloud platforms.
Mitigations¶
Variables scoping¶
To prevent leakage, CI/CD variables has to be present only in jobs that need them. By example in the Maven template, only the mvn-sonar job actually needs the SONAR_TOKEN environment variable so others jobs (mvn-build, mvn-release...) should not access this secret.
You can find more info about how to protect your CI/CD variables in the official GitLab documentation.
Image selection¶
As much as we can, we try to select either official images (ex: Maven, Python), or at least images maintained by an active community. Each of those images can be freely overridden with the appropriate configuration variable to select fixed versions (more info here) or any alternative that would suit you more.
By default, to be continuous templates mostly use the latest tag from upstream images since it is a maintenance-less default that works for nearly everyone. However latest images are prone to supply chain attacks and are also likely to introduce breaking changes.
to be continuous is not responsible of any possible security issue from a default container image.
You should either :
- use a fixed version tag : using the
maven:3.9.1instead ofmaven:latestmake sure you stay on a specific version of tools- prefer official image with the least tools (prefer minimal size, Alpine distribution or even distro-less if you can find one suited to your needs), the more the image has, heavier is the risk
- build and maintain your own image with a chosen version for each tools
- use no or a minimal distribution
- upgrade tools and important components regularly with safe updates
- root-less image are best to prevent some container escalation vulnerabilities against your runner provider
Tip
Whenever building your own image or using an upstream image, you can use Renovate to watch updates for your tools, test the new version and integrate them seamlessly.
Vulnerability Reports (Trivy)¶
Warning
When reviewing vulnerabilities from containers, you have to consider the following principes :
- containers are usually very short-lived in a CI/CD environment
- no direct user access is possible
- most job does not expose any exteral services (i.e. HTTP server) making attacks reliant on user interaction very hard if not impossible to exploit
In short, risks are often low in the CI/CD context but carefully reviewing vulnerabilities are an essential step to secure your pipeline.
Here are vulnerability reports for each default image used by to be continuous templates (generated every day):
| Template | Image Variable | Default Image | Vulnerabilities |
|---|---|---|---|
| Ansible | ANSIBLE_IMAGE | registry.hub.docker.com/cytopia/ansible:latest-tools |
9 Medium, 1 Low, 2 Unknown |
| Ansible | ANSIBLE_LINT_IMAGE | registry.hub.docker.com/haxorof/ansible-lint:latest |
|
| Amazon Web Services | AWS_CLI_IMAGE | registry.hub.docker.com/amazon/aws-cli:latest |
|
| Azure | AZURE_CLI_IMAGE | mcr.microsoft.com/azure-cli:latest |
|
| Bash | BASH_BATS_IMAGE | registry.hub.docker.com/bats/bats:latest |
|
| Bash | BASH_SHELLCHECK_IMAGE | registry.hub.docker.com/koalaman/shellcheck-alpine:stable |
22 Medium, 4 Low, 2 Unknown |
| Bruno | BRU_IMAGE | registry.hub.docker.com/library/node:lts-alpine |
|
| GitLab Butler | BUTLER_IMAGE | registry.gitlab.com/to-be-continuous/tools/gitlab-butler:latest |
1 High |
| Cloud Foundry | CF_CLI_IMAGE | registry.hub.docker.com/governmentpaas/cf-cli |
7 Critical, 24 High, 64 Medium, 3 Low, 1 Unknown |
| Cloud Native Buildpacks | CNB_BUILDER_IMAGE | docker.io/paketobuildpacks/builder-jammy-base:latest |
77 Critical, 109 High, 1365 Medium, 151 Low |
| Cloud Native Buildpacks | CNB_SKOPEO_IMAGE | quay.io/skopeo/stable:latest |
|
| Cloud Native Buildpacks | CNB_TRIVY_IMAGE | docker.io/aquasec/trivy:latest |
|
| Cypress | CYPRESS_IMAGE | registry.hub.docker.com/cypress/included:13.13.3 |
12 Critical, 123 High, 251 Medium, 293 Low, 65 Unknown |
| dbt | DBT_IMAGE | ghcr.io/dbt-labs/dbt-core:latest |
4 Critical, 245 High, 1095 Medium, 587 Low, 7 Unknown |
| Docker Compose | DCMP_IMAGE | registry.hub.docker.com/library/docker:latest |
|
| DefectDojo | DEFECTDOJO_BASE_IMAGE | registry.hub.docker.com/library/node:alpine3.11 |
1 Critical, 25 High, 3 Medium, 1 Low |
| Dependency Track | DEPTRACK_SBOM_SCANNER_IMAGE | registry.gitlab.com/to-be-continuous/tools/dt-sbom-scanner:latest |
|
| Docker | DOCKER_BUILDAH_IMAGE | quay.io/containers/aio:latest |
|
| Docker | DOCKER_DIND_IMAGE | registry.hub.docker.com/library/docker:dind |
|
| Docker | DOCKER_HADOLINT_IMAGE | registry.hub.docker.com/hadolint/hadolint:latest-alpine |
8 High, 12 Medium |
| Docker | DOCKER_IMAGE | registry.hub.docker.com/library/docker:latest |
|
| Docker | DOCKER_KANIKO_IMAGE | gcr.io/kaniko-project/executor:debug |
|
| Docker | DOCKER_SBOM_IMAGE | registry.hub.docker.com/anchore/syft:debug |
|
| Docker | DOCKER_SKOPEO_IMAGE | quay.io/containers/aio:latest |
|
| Docker | DOCKER_TRIVY_IMAGE | registry.hub.docker.com/aquasec/trivy:latest |
|
| .NET | DOTNET_IMAGE | mcr.microsoft.com/dotnet/sdk:latest |
1 Critical, 9 High, 18 Medium, 97 Low |
| Google Cloud | GCP_CLI_IMAGE | gcr.io/google.com/cloudsdktool/cloud-sdk:latest |
3 Critical, 123 High, 466 Medium, 503 Low, 9 Unknown |
| Gitleaks | GITLEAKS_IMAGE | registry.hub.docker.com/zricethezav/gitleaks:latest |
1 High |
| GitLab Package | GLPKG_IMAGE | registry.hub.docker.com/curlimages/curl:latest |
|
| Go | GO_CI_LINT_IMAGE | registry.hub.docker.com/golangci/golangci-lint:latest-alpine |
4 Unknown |
| Go | GO_IMAGE | registry.hub.docker.com/library/golang:bookworm |
1 Critical, 108 High, 444 Medium, 383 Low, 4 Unknown |
| Go | GO_SBOM_IMAGE | $GO_IMAGE |
not fetched |
| Go | GO_SEMGREP_IMAGE | registry.hub.docker.com/semgrep/semgrep:latest |
1 High, 1 Medium, 4 Unknown |
| Gradle | GRADLE_IMAGE | registry.hub.docker.com/library/gradle:latest |
20 Medium, 29 Low |
| Helmfile | HELMFILE_CLI_IMAGE | ghcr.io/helmfile/helmfile:latest |
2 Critical, 4 High, 33 Medium |
| Helm | HELM_CLI_IMAGE | registry.hub.docker.com/alpine/helm:latest |
3 Medium |
| Helm | HELM_KUBE_SCORE_IMAGE | registry.hub.docker.com/zegl/kube-score |
8 Critical, 52 High, 71 Medium, 2 Low |
| Helm | HELM_YAMLLINT_IMAGE | registry.hub.docker.com/cytopia/yamllint |
7 High, 12 Medium, 2 Unknown |
| Hurl | HURL_IMAGE | ghcr.io/orange-opensource/hurl:latest |
|
| k6 | K6_IMAGE | registry.hub.docker.com/grafana/k6:latest |
|
| Kubernetes | K8S_KUBECTL_IMAGE | registry.hub.docker.com/bitnami/kubectl:latest |
1 Critical, 15 High, 25 Medium, 95 Low |
| Kubernetes | K8S_KUBE_SCORE_IMAGE | registry.hub.docker.com/zegl/kube-score:latest |
8 Critical, 52 High, 71 Medium, 2 Low |
| Lighthouse | LHCI_IMAGE | registry.hub.docker.com/cypress/browsers:latest |
3 Critical, 25 High, 147 Medium, 240 Low, 65 Unknown |
| GNU Make | MAKE_IMAGE | registry.hub.docker.com/alpinelinux/build-base |
6 High, 11 Medium, 6 Low, 3 Unknown |
| Maven | MAVEN_IMAGE | registry.hub.docker.com/library/maven:latest |
18 Medium, 29 Low |
| MkDocs | MKD_IMAGE | docker.io/squidfunk/mkdocs-material:latest |
2 High |
| MkDocs | MKD_LYCHEE_IMAGE | docker.io/lycheeverse/lychee:latest |
1 Critical, 3 High, 11 Medium, 54 Low |
| MobSF | MOBSF_CLIENT_IMAGE | registry.hub.docker.com/badouralix/curl-jq |
|
| Angular | NG_CLI_IMAGE | registry.hub.docker.com/trion/ng-cli-karma:latest |
1 Critical, 119 High, 462 Medium, 476 Low, 4 Unknown |
| Node.js | NODE_IMAGE | registry.hub.docker.com/library/node:lts-alpine |
|
| Node.js | NODE_SEMGREP_IMAGE | registry.hub.docker.com/semgrep/semgrep:latest |
1 High, 1 Medium, 4 Unknown |
| OpenShift | OS_CLI_IMAGE | quay.io/openshift/origin-cli:latest |
5 Medium |
| PHP | PHP_IMAGE | registry.hub.docker.com/library/php:latest |
1 Critical, 112 High, 443 Medium, 350 Low |
| Playwright | PLAYWRIGHT_IMAGE | mcr.microsoft.com/playwright:latest |
1 High, 490 Medium, 133 Low |
| Postman | POSTMAN_IMAGE | registry.hub.docker.com/postman/newman:latest |
4 High, 32 Medium, 5 Low, 2 Unknown |
| pre-commit | PRE_COMMIT_IMAGE | registry.hub.docker.com/library/python:3-alpine |
|
| Puppeteer | PUPPETEER_IMAGE | ghcr.io/puppeteer/puppeteer:latest |
5 Critical, 133 High, 576 Medium, 697 Low, 6 Unknown |
| Python | PYTHON_IMAGE | registry.hub.docker.com/library/python:3-slim |
1 Critical, 3 High, 13 Medium, 55 Low |
| Renovate | RENOVATE_IMAGE | registry.hub.docker.com/renovate/renovate:latest |
760 Medium, 62 Low |
| Robot Framework | ROBOT_BASE_IMAGE | registry.hub.docker.com/ppodgorsek/robot-framework:latest |
1 Critical, 1 High |
| Source-to-Image | S2I_DIND_IMAGE | registry.hub.docker.com/library/docker:dind |
|
| Source-to-Image | S2I_SKOPEO_IMAGE | quay.io/skopeo/stable:latest |
|
| S3 (Simple Storage Service) | S3_CMD_IMAGE | registry.hub.docker.com/d3fk/s3cmd:latest |
1 High, 6 Unknown |
| Scala/SBT | SBT_IMAGE | registry.hub.docker.com/sbtscala/scala-sbt:17.0.2_1.6.2_3.1.3 |
52 Critical, 215 High, 282 Medium, 595 Low, 10 Unknown |
| Scala/SBT | SBT_SBOM_IMAGE | registry.hub.docker.com/anchore/syft:debug |
|
| semantic-release | SEMREL_IMAGE | registry.hub.docker.com/library/node:lts-slim |
1 Critical, 3 High, 11 Medium, 54 Low |
| SonarQube | SONAR_SCANNER_IMAGE | registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest |
13 High, 9 Medium, 2 Low |
| Spectral | SPECTRAL_IMAGE | registry.hub.docker.com/stoplight/spectral:latest |
4 High, 31 Medium, 5 Low, 2 Unknown |
| Sphinx | SPHINX_IMAGE | ghcr.io/sphinx-doc/sphinx:latest |
2 Critical, 19 High, 35 Medium, 163 Low, 2 Unknown |
| Sphinx | SPHINX_LYCHEE_IMAGE | registry.hub.docker.com/lycheeverse/lychee:latest |
1 Critical, 3 High, 11 Medium, 54 Low |
| SQLFluff lint | SQLFLUFF_IMAGE | registry.hub.docker.com/sqlfluff/sqlfluff:latest |
2 Critical, 9 High, 28 Medium, 80 Low |
| Test SSL | TESTSSL_IMAGE | registry.hub.docker.com/drwetter/testssl.sh:latest |
|
| Terraform | TF_CHECKOV_IMAGE | registry.hub.docker.com/bridgecrew/checkov |
1 Critical, 12 High, 22 Medium, 96 Low |
| Terraform | TF_DOCS_IMAGE | quay.io/terraform-docs/terraform-docs:edge |
|
| Terraform | TF_IMAGE | registry.hub.docker.com/hashicorp/terraform:latest |
|
| Terraform | TF_INFRACOST_IMAGE | registry.hub.docker.com/infracost/infracost |
72 Critical, 734 High, 567 Medium, 20 Low, 2 Unknown |
| Terraform | TF_PUBLISH_IMAGE | registry.hub.docker.com/curlimages/curl:latest |
|
| Terraform | TF_TFLINT_IMAGE | ghcr.io/terraform-linters/tflint-bundle:latest |
7 Critical, 33 High, 130 Medium, 4 Low, 2 Unknown |
| Terraform | TF_TFSEC_IMAGE | registry.hub.docker.com/aquasec/tfsec-ci |
1 High, 1 Medium |
| Terraform | TF_TRIVY_IMAGE | registry.hub.docker.com/aquasec/trivy |