Compliance The OWASP Top 10 CI/CD Security Risks to Harden DevSecOps

Organizations adopt CI/CD pipelines to accelerate software delivery, but as with all forms of cybersecurity, true resilience is a moving target. Poorly managed CI/CD pipelines pose a serious risk to software supply chains, potentially impacting thousands of downstream users. In response, software vendors and development teams need to adopt a "shift-left" approach; adding more security earlier in the development process.

Even aside from human error, high-profile incidents like the SolarWinds breach, Codecov compromise, and other DevOps failures show that attackers can abuse build systems to distribute malicious code. Flaws like Dependency Confusion and supply chain attacks on popular NPM packages (e.g., ua-parser-js, coa, rc) illustrate how even trusted dependencies can become vectors for widespread compromise.

However, many security teams are still in the early stages of understanding and managing the risks unique to CI/CD and the more broad security challenge of DevSecOps. Striking the right balance between strong security and engineering velocity remains a challenge, as defenders seek effective controls that protect the pipeline without slowing down development.

In addition to OWASP's Top 10 Web Application Security Risks, and other useful resources, OWASP maintains other key security checklists including:

• Top 10 Client-Side Risks

• Top 10 Cloud Risks

• Top 10 Mobile Security Risks

• Top LLM Security Risks

• Top 10 API Security Risks

In this article, we will review OWASP's latest offering to support cybersecurity at all levels: The OWASP Top 10 CI/CD Security Risks.

The OWASP CI/CD Top Ten

The OWASP “Top 10 CI/CD Security Risks” a collaborative effort to help organizations secure their continuous integration and delivery (CI/CD) pipelines. The list is based on real-world threats and breaches analyzed by industry experts. The list creates a hierarchy of the most critical risks in modern DevOps environments. By reviewing and applying these insights, organizations can better prioritize defenses, reduce exposure, and strengthen the overall security of their CI/CD ecosystems.

The OWASP Top 10 CI/CD Security Risks are:

• Insufficient Flow Control Mechanisms [CICD-SEC-1]: Lack of review or approval steps in CI/CD pipelines could allow attackers, even with limited access, to push malicious code directly to production. Enforce flow control by using branch protection, restricting auto-merges, requiring approvals for deployments, and verifying artifact provenance to prevent single-actor compromise of the pipeline. In the end, accountability at all stages of a CI/CD pipeline is essential. Some researchers even propose how LLM can support more effective code review. 

• Inadequate Identity and Access Management [CICD-SEC-2]: Poorly managed access controls for human and programmatic identities across CI/CD systems increase risk of compromise. Over-permissive, stale, local, external, or shared accounts may grant attackers broad access. Even unremediated CVE vulnerabilities may allow privilege escalation. Enforce least privilege, mandate MFA and use of password managers, centralize identity with SSO/IdP, and avoid shared credentials to reduce identity-related attack surfaces.

• Dependency Chain Abuse [CICD-SEC-3]: Attackers exploit how dependencies are fetched—via techniques like dependency confusion, hijacking, or typosquatting—to execute malicious code on developer machines or CI systems. Prevent direct internet pulls, use internal vetted proxies, enforce package scoping, verify checksums, and lock versions to reduce supply chain risk and avoid pulling and running malicious packages.

• Poisoned Pipeline Execution (PPE) [CICD-SEC-4]: PPE occurs when attackers modify CI configurations or files they reference to execute malicious code during builds—without accessing the CI system itself. It enables secret theft, artifact tampering, or environment compromise. Isolate untrusted code execution, protect pipeline configs, restrict secrets, and review contributions to prevent direct, indirect, or public PPE attacks.

• Insufficient PBAC (Pipeline-Based Access Controls) [CICD-SEC-5]: Pipelines often have excessive permissions to code, secrets, systems, and networks. Without fine-grained PBAC, malicious code run during builds can steal credentials, move laterally, or poison artifacts. Restrict access per pipeline and step, isolate nodes by sensitivity, revert nodes post-run, and limit network and OS permissions to reduce blast radius.

• Insufficient Credential Hygiene [CICD-SEC-6]: Weak credential hygiene in CI/CD—like hardcoded secrets, shared credentials, exposed logs, and unrotated tokens—gives attackers easy access to high-value systems. Prevent leaks by scanning code and images for secrets, rotating credentials regularly, restricting scope, avoiding console exposure, and enforcing least privilege at every stage of the pipeline lifecycle.

• Insecure System Configuration [CICD-SEC-7]: Misconfigured or outdated CI/CD systems—such as SCMs, artifact registries, or build servers—can expose low-hanging attack vectors. Poor network controls, default credentials, weak hardening, and insecure settings may allow lateral movement or access to secrets. Regularly patch systems, audit configurations, and enforce least privilege to strengthen CI/CD infrastructure posture.

• Ungoverned Usage of 3rd Party Services [CICD-SEC-8]: Third-party services are often easily integrated into CI/CD systems with high privileges but little oversight. Without governance, these services expand the attack surface and can be abused to exfiltrate code or trigger malicious builds. Vet all integrations, enforce least privilege, monitor usage, and regularly de-provision unused or over-permissive third parties.

• Improper Artifact Integrity Validation [CICD-SEC-9]: Without strong validation, tampered code or artifacts can flow through CI/CD pipelines undetected, reaching production. Attackers may insert malicious components disguised as legitimate. Mitigate risk by enforcing artifact signing, verifying signatures and hashes, detecting configuration drift, and adopting frameworks like SLSA, Sigstore, and in-toto to ensure end-to-end integrity.

• Insufficient Logging and Visibility [CICD-SEC-10]: Without robust logging and visibility across CI/CD systems, attackers can operate undetected and leave minimal forensic traces. Many engineering tools lack default logging or centralized monitoring. Map all systems, enable both audit and activity logs, ship them to a SIEM, and create alerts to detect anomalies in access and pipeline behavior.

Conclusion

The OWASP Top 10 CI/CD Security Risks provides essential guidance for securing fast-moving DevOps environments. By addressing common weaknesses—such as dependency abuse, excessive privileges, and poor credential hygiene—organizations can reduce the risk of supply chain attacks and protect software integrity. Applying these practices strengthens pipeline security without sacrificing delivery speed or engineering agility.