OWASP Top 10 CI/CD Security Controls
Type: Initiative
ID: OWASP-TOP10-CICD-SC-GH
Version: ``
Bundle-Version: v2
Source: v2/initiatives/owasp-top10-cicd-gh.yaml
Help: https://owasp.org/www-project-top-10-ci-cd-security-risks/
OWASP Top 10 CI/CD Security Controls - GitHub
Description
This initiative provides a set of security controls for CI/CD pipelines implementing the OWASP Top 10 CI/CD Security Risks framework.
Required Evidence
This initiative requires the following evidence types:
- Signed SBOM
- Image SBOM
- Git SBOM
- Signed Git SBOM
- Signed SLSA Provenance
- SARIF Evidence
- Github Organization Discovery Evidence
- Github Repository Discovery Evidence
Evidence Defaults
| Field | Value |
|---|---|
| signed | False |
Rule Parameters
To configure this initiative for your organization needs, the following parameters should be specified:
- [CICD-SEC-1] Insufficient Flow Control Mechanisms
- Require Branch Protection
branches:array- List of branches to be protected.
Default:['main', 'master'].
- Pull request approval policy check
approvals_required_min:number- Minimum number of approvals required for pull requests.
Default:1.
- Require Branch Protection
- [CICD-SEC-2] Inadequate Identity and Access Management
- Limit Admin Number
max_admins:integer- Maximum number of admins allowed.
Default:4.
- Allowed GitHub Organization Admins
allowed_admins:array- List of allowed GitHub organization admins.
- Allowed GitHub Organization Users
allowed_users:array- List of allowed users.
- 'Create repositories' permissions check
- Limit Public Repositories
allowed_repo_names:array- List of repository pattern allowed to be visible.
- Limit Admin Number
- [CICD-SEC-3] Dependency Chain Abuse
- Ensure that base images are from an approved source
approved_sources:array- A list of approved base image registry URL prefixes.
Default:['index.docker.io/library/.*', 'gcr.io/.*'].
- Verify NPM Packages Origin
allowed_registries:array- A list of allowed NPM registries.
Default:['https://registry.npmjs.org/'].
- Ensure that base images are from an approved source
- [CICD-SEC-4] Poisoned Pipeline Execution
- Restrict Pipeline Script Modification
files:array- The list of files that are allowed to be committed to the repository.
Default:['.github/workflow/*.yml', '.github/workflow/*.yaml'].ids:array- The list of user (commit.author) IDs allowed to commit to the repository.
- Require Branch Protection
branches:array- List of branches to be protected.
Default:['main', 'master'].
- Restrict Pipeline Script Modification
- [CICD-SEC-6] Insufficient Credential Hygiene
- Verify No Old Secrets Exist in Organization
max_secret_age:integer- Maximum age of secrets in months.
Default:6.
- Verify No Old Secrets Exist in Repository
max_secret_age:integer- Maximum age of secrets in months.
Default:6.
- Verify Trivy Secret Scan Report
rule_names:array- List of rule names to check for in the Trivy SARIF report.
Default:['Secret'].max_allowed:integer- The maximum number of allowed violations.
- Verify No Old Secrets Exist in Organization
Controls Overview
| Control Name | Control Description | Mitigation |
|---|---|---|
| [CICD-SEC-1] Insufficient Flow Control Mechanisms | Ensure that the CI/CD pipeline has sufficient flow control mechanisms to prevent unauthorized pushing of malicious code into artifacts. | Implement branch protection rules to prevent unauthorized changes. Require signed commits to maintain code integrity. |
| [CICD-SEC-2] Inadequate Identity and Access Management | Ensure that the CI/CD pipeline has adequate identity and access management to prevent unauthorized access to the pipeline and artifacts. | Implement strong identity and access management practices. Enforce multi-factor authentication (MFA) for all users. Limit the number of administrators to the minimum required. Ensure repositories are private to prevent unauthorized access. |
| [CICD-SEC-3] Dependency Chain Abuse | Ensure that the CI/CD pipeline has mechanisms to prevent dependency chain abuse. | |
| [CICD-SEC-4] Poisoned Pipeline Execution | Ensure that the pipeline script cannot be tampered with | Restrict access to the pipeline script to prevent unauthorized modifications. Implement strict permissions and review processes for any changes to the pipeline script. |
| [CICD-SEC-5] Insufficient Pipeline Access Controls | Ensure that the CI/CD pipeline has sufficient access controls to prevent unauthorized access to the pipeline and artifacts. Implement strict access controls for the CI/CD pipeline to prevent unauthorized access. Use ephemeral runners to ensure a clean environment for each pipeline run. Ensure that secrets are not shared across pipelines and are scoped to the minimum required. | |
| [CICD-SEC-6] Insufficient Credential Hygiene | Ensure that the CI/CD pipeline has sufficient credential hygiene to prevent unauthorized access to the pipeline and artifacts. | |
| [CICD-SEC-7] Insecure System Configuration | Ensure that the CI/CD pipeline has secure system configuration to prevent unauthorized access to the pipeline and artifacts. | |
| [CICD-SEC-8] Ungoverned Usage of 3rd Party Services | Ensure that the CI/CD pipeline has mechanisms to prevent ungoverned usage of 3rd party services. | |
| [CICD-SEC-9] Improper Artifact Integrity Validation | Ensure that the CI/CD pipeline has mechanisms to validate the integrity of artifacts. | Implement processes and technologies to validate the integrity of resources all the way from development to production. |
| [CICD-SEC-10] Insufficient Logging and Visibility | Ensure that the CI/CD pipeline has sufficient logging and visibility to detect unauthorized access to the pipeline and artifacts. | Identify and build an inventory of all the systems in use within the organization, containing every instance of these systems. |
Detailed Controls
[CICD-SEC-1] Insufficient Flow Control Mechanisms
Ensure that the CI/CD pipeline has sufficient flow control mechanisms to prevent unauthorized pushing of malicious code into artifacts.
Mitigation
Implement branch protection rules to prevent unauthorized changes. Require signed commits to maintain code integrity.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| github-repo-branch-protection | Require Branch Protection | Configure branch protection rules on branches hosting code which is used in production and other sensitive systems. |
| github-repo-pr-approval | Pull request approval policy check | Ensure that the repository's PR approval policy requires a minimum number of approvals. |
| github-repo-signed-commits | Accept Signed Commits | Ensure all commits signing is required by branch protection, in order to maintain code integrity. |
| github-repo-web-commit-signoff | Require Signoff on Web Commits | Ensure that the GitHub repository requires signoff on web commits. |
| sbom-signed | Require Image and Git SBOMs to be signed | Verify images and git SBOMs are signed. |
[CICD-SEC-2] Inadequate Identity and Access Management
Ensure that the CI/CD pipeline has adequate identity and access management to prevent unauthorized access to the pipeline and artifacts.
Mitigation
Implement strong identity and access management practices. Enforce multi-factor authentication (MFA) for all users. Limit the number of administrators to the minimum required. Ensure repositories are private to prevent unauthorized access.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| github-org-2fa | Enforce MFA | Mandate multi-factor authentication. |
| github-org-max-admins | Limit Admin Number | Limit the number of admins to the minimum required. |
| github-org-allowed-admins | Allowed GitHub Organization Admins | Verify only users in the Allowed List have admin privileges. |
| github-org-allowed-users | Allowed GitHub Organization Users | Verify only users in the Allowed List have user access to the GitHub organization. |
| github-org-create-repos | 'Create repositories' permissions check | Ensure only allowed users can create repositories in the GitHub organization. |
| github-org-repo-visibility | Limit Public Repositories | Verify only repositories in the Allowed List are public in the GitHub organization. |
[CICD-SEC-3] Dependency Chain Abuse
Ensure that the CI/CD pipeline has mechanisms to prevent dependency chain abuse.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| allowed-base-image | Ensure that base images are from an approved source | Verify that every base image is from an approved source. |
| allowed-npm-registries | Verify NPM Packages Origin | Verify that NPM packages are pulled from an approved registry. |
[CICD-SEC-4] Poisoned Pipeline Execution
Ensure that the pipeline script cannot be tampered with
Mitigation
Restrict access to the pipeline script to prevent unauthorized modifications. Implement strict permissions and review processes for any changes to the pipeline script.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| git-coding-permissions | Restrict Pipeline Script Modification | Restrict access to the pipeline script to prevent tampering. |
| github-repo-branch-protection | Require Branch Protection | Implement branch protection rules to prevent unauthorized changes. |
[CICD-SEC-5] Insufficient Pipeline Access Controls
Ensure that the CI/CD pipeline has sufficient access controls to prevent unauthorized access to the pipeline and artifacts. Implement strict access controls for the CI/CD pipeline to prevent unauthorized access. Use ephemeral runners to ensure a clean environment for each pipeline run. Ensure that secrets are not shared across pipelines and are scoped to the minimum required.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| github-repo-ephemeral-runners-only | Use Ephemeral GitHub Runner | Use ephemeral runners to ensure a clean environment for each pipeline run. |
| github-repo-no-org-secrets | Separate Repo Secrets | Avoid sharing the same set of credentials across multiple contexts. |
[CICD-SEC-6] Insufficient Credential Hygiene
Ensure that the CI/CD pipeline has sufficient credential hygiene to prevent unauthorized access to the pipeline and artifacts.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| github-org-old-secrets | Verify No Old Secrets Exist in Organization | Verify secrets in the GitHub organization are not older than the specified threshold. |
| github-repo-old-secrets | Verify No Old Secrets Exist in Repository | Verify secrets in the GitHub repository are not older than the specified threshold. |
| github-repo-no-org-secrets | Separate Repo Secrets | Avoid sharing the same set of credentials across multiple contexts. |
| github-repo-secret-scanning | Verify secret_scanning setting | Detect secrets pushed to and stored on code repositories. |
| trivy-secret-scan | Verify Trivy Secret Scan Report | Verify the Trivy report for exposed secrets. |
[CICD-SEC-7] Insecure System Configuration
Ensure that the CI/CD pipeline has secure system configuration to prevent unauthorized access to the pipeline and artifacts.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| github-repo-ephemeral-runners-only | Use Github Runner | Use ephemeral runners to ensure a clean environment for each pipeline run. |
[CICD-SEC-8] Ungoverned Usage of 3rd Party Services
Ensure that the CI/CD pipeline has mechanisms to prevent ungoverned usage of 3rd party services.
This control not currently supported on this platform.
[CICD-SEC-9] Improper Artifact Integrity Validation
Ensure that the CI/CD pipeline has mechanisms to validate the integrity of artifacts.
Mitigation
Implement processes and technologies to validate the integrity of resources all the way from development to production.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| sbom-signed | Artifact verification software (Image SBOM) | Verify image SBOMs are signed. |
| git-sbom-signed | Artifact verification software (Git SBOM) | Verify Git SBOMs are signed. |
| SLSA.L2 | Artifact verification software (SLSA) | Verify SLSA Provenance attestations are signed. |
| git-disallow-unsigned-commits | Code signing (Git SBOM) | Verify all commits are signed. |
| github-repo-signed-commits | Code signing (GitHub repo) | Verify all commits are verified on GitHub. |
| github-repo-web-commit-signoff | Verify GitHub Repository Requires Signoff on Web Commits | Ensure that the GitHub repository requires signoff on web commits. |
[CICD-SEC-10] Insufficient Logging and Visibility
Ensure that the CI/CD pipeline has sufficient logging and visibility to detect unauthorized access to the pipeline and artifacts.
Mitigation
Identify and build an inventory of all the systems in use within the organization, containing every instance of these systems.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| github-repo-exists | GitHub repository evidence | Identify and build an inventory of all the systems in use within the organization, containing every instance of these systems. |
| workflows-discovered | Repo Workflows and Pipelines Discovered | Repository workflows scan helps to keep track of the repo workflows, pipeline runs, run reasons, authors and other relevant information. |