Fortify Your CI/CD Pipeline Security with Open Source Precision

Continuous Integration and Continuous Delivery (CI/CD) pipelines have become indispensable in modern software development. These pipelines are critical touchpoints where code-level vulnerabilities, container security issues, and vulnerability remediation efforts converge. As the demand for stronger security measures grows across the software lifecycle—from code to cloud—CI/CD teams face increasing pressures to embed robust cybersecurity guardrails directly into their processes.

What is the CI/CD Cybersecurity SIG?

The CD Foundation’s CI/CD Cybersecurity SIG (Special Interest Group) aims to address these challenges by advancing security tooling within CI/CD pipelines. This SIG will identify open source DevSecOps tools aligned with established secure software development frameworks, integrating them into existing pipelines to ensure end-to-end security from code to cloud.

This SIG will develop a guide to help DevOps engineers build security-compliant CI/CD pipelines by mapping open source automation tools to evolving security frameworks. As security standards evolve, pipeline updates are essential to ensure safer software development. The SIG will explore the intersection of security tooling and the CI/CD pipeline, as well as identify key security practices, tools, and strategies that align with accepted frameworks such as the Secure Software Development Framework and the NIST Cybersecurity Framework. This SIG aligns framework-defined tasks with open-source tools to accomplish them.

Why now?

The necessity of the CI/CD Cybersecurity SIG is underscored by rising industry challenges and trends:

1. Rising Vulnerabilities

• In 2024, the total number of vulnerabilities reached over 250,000.
• Many vulnerabilities remain unaddressed for over a year, exposing organizations to significant risks.
• IBM research shows that delays in vulnerability remediation cost enterprises an average of $5.5 million annually.

2. Expanding Threat Landscape with AI

• The rapid development of AI-driven solutions has introduced new security challenges.
• This trend has broadened the attack surface, particularly in securing pipelines associated with Large Language Models (LLMs) and other AI workloads.

3. Private Sector demand for accountable and secure open source packages

• The surge in software vulnerabilities has put open source under scrutiny. To maintain trust, contributors must demonstrate compliance with security standards. While most open source maintainers want to deliver secure code, they often lack the time and resources. This SIG aims to ease that burden—by showcasing how to automate security tooling within CI/CD pipelines, we empower contributors to improve security compliance with minimal effort.

While organizations like the Cloud Native Computing Foundation (CNCF) and the Open Source Security Foundation (OpenSSF) are developing innovative security tools, discussions around their integration within CI/CD pipelines remain limited. Addressing this gap is critical for the evolution of CI/CD practices.

Goals and Objectives

1. Develop Integration Frameworks

Identify and map open source security tools to establish secure software development frameworks and standards for integration into CI/CD pipelines.

2. Promote Security Best Practices

Encourage adherence to security guardrails within CI/CD workflows, with an emphasis on key domains such as:

• Code-level security
• Container security
• Vulnerability management

3. Track and Align Emerging Tools

Monitor and catalog emerging security tools that support evolving CI/CD requirements and align with recognized security standards and best practices.

4. Collaborate with Industry Leaders

Partner with CNCF, OpenSSF, and other relevant communities to drive adoption of standardized security practices and foster cross-industry collaboration.

Scope of Work

The SIG will undertake the following key activities:

• Map and document tool to framework ‘tasks’, playbooks, and guidelines for securely integrating security tooling within CI/CD.
• Provide recommendations for securing pipelines used in AI and LLM deployments.
• Identify gaps in current CI/CD security tooling and collaborate with the community to address these gaps.
• Review and enhance existing security recommendations tailored specifically to CI/CD pipelines.

Key references for the SIG’s work include:

• The NIST Secure Software Development Framework
• IBM’s X-Force Threat Landscape Report
• The NIST Cybersecurity Framework
• Securing the AI Software Supply Chain

Audience and Participants

The CI/CD Cybersecurity SIG welcomes participation from all professionals and organizations engaged in CI/CD, AI, and security. Key groups include:

• Open source project communities from CDF, OpenSSF, and CNCF
• CDF and OpenSSF Ambassadors
• Members of the OpenSSF DevRel Committee
• Attendees of CDF CD Events
• CDF Member companies
• CDF End User Council participants

Who Should Join?

The effort is open to all involved in CI/CD, AI, and Security. Within CDF it is essential we engage our broader community, including:

• Open source project communities from the CDF, OpenSSF, and CNCF
• CDF and OpenSSF Ambassadors
• OpenSSF DevRel Committee
• CDF CDEvents
• CDF Member companies
• CDF End User Council participants

Contributors