OWASP CI/CD Top 10 Coverage

Every finding from Drift Sentinel is mapped to the OWASP CI/CD Security Top 10 framework. Here's our complete coverage.

CICD-SEC-1: Insufficient Flow Control Mechanisms

Insufficient flow control mechanisms refer to the ability of an attacker that has obtained permissions to a system within the CI/CD process to push malicious code or artifacts down the pipeline, due to a lack of mechanisms that enforce additional approval or review.

OWASP

Rules for this category are on the roadmap.

CICD-SEC-2: Inadequate Identity and Access Management

Inadequate identity and access management risks refer to the ability of an attacker to gain access to systems due to flaws in identification, authentication and authorization mechanisms.

OWASP

Secrets exposed in pull_request contextsecrets-in-untrusted-context

Job-level permissions broader than workflowdangerous-defaults-permissions

OIDC subject claim too broadoidc-overly-permissive

Hardcoded credential in workflowhardcoded-credentials

GITHUB_TOKEN with contents: writegithub-token-write-contents

actions/checkout with persist-credentials not disabledactions-checkout-persist-credentialsAuto-fix

CICD-SEC-3: Dependency Chain Abuse

Dependency chain abuse risks refer to an attacker's ability to abuse flaws in the dependency management process to inject malicious packages as dependencies.

OWASP

Workflow uses permissions: write-allpermissions-write-allAuto-fix

Action not pinned to SHAunpinned-actionAuto-fix

Workflow missing permissions declarationmissing-permissionsAuto-fix

Reusable workflow not pinned to SHAreusable-workflow-unpinnedAuto-fix

Container image uses :latest tagcontainer-latest-tagAuto-fix

pip --extra-index-url dependency confusionextra-index-url-injection

Third-party action from unknown publisherthird-party-action-untrusted

curl | bash pattern detectedcurl-pipe-bash

npm install without --ignore-scriptsnpm-install-scriptsAuto-fix

Action using very old major versionstale-action-versionAuto-fix

CICD-SEC-4: Poisoned Pipeline Execution (PPE)

Poisoned pipeline execution (PPE) risks refer to the ability of an attacker to inject malicious code into a build pipeline by manipulating the build process.

OWASP

pull_request_target with checkout of PR headpull-request-target-checkout

Potential script injection via user-controlled inputscript-injection

Uses deprecated set-output commanddeprecated-set-outputAuto-fix

Uses deprecated save-state commanddeprecated-save-stateAuto-fix

workflow_run triggered by forked repo eventsworkflow-run-from-fork

workflow_dispatch with unvalidated inputsworkflow-dispatch-no-input-validation

Matrix values used in shell without quotingmatrix-injection

CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)

Insufficient PBAC risks refer to the ability of an attacker to abuse the permissions of a pipeline to gain access to resources.

OWASP

Deployment without environment protectionenvironment-no-protection

Auto-merge without required reviewspr-approval-bypass

No CODEOWNERS for .github/workflows/no-codeowners-workflows

CICD-SEC-6: Insufficient Credential Hygiene

Insufficient credential hygiene risks refer to flaws in credential management that allow attackers to obtain or use credentials.

OWASP

Rules for this category are on the roadmap.

CICD-SEC-7: Insecure System Configuration

Insecure system configuration risks refer to flaws in the configuration of CI/CD systems that can be leveraged by attackers.

OWASP

Missing concurrency cancellationconcurrency-no-cancelAuto-fix

Job without timeout-minutestimeout-missingAuto-fix

continue-on-error on security-sensitive stepcontinue-on-error-security

CodeQL with reduced query suitecodeql-disabled-queriesAuto-fix

Deno --allow-net without restrictionallow-net-deno-unrestricted

if: always() without additional conditionif-always-without-guard

CICD-SEC-8: Ungoverned Usage of 3rd Party Services

Ungoverned usage of 3rd party services risks refer to the ability of an attacker to abuse access granted to 3rd party services integrated into CI/CD.

OWASP

Rules for this category are on the roadmap.

CICD-SEC-9: Improper Artifact Integrity Validation

Improper artifact integrity validation risks refer to flaws that allow an attacker to abuse a lack of integrity verification to distribute malicious artifacts.

OWASP

Self-hosted runner used with untrusted triggerself-hosted-runner-untrusted

Artifact upload/download without integrity checkartifact-poisoning

Cache key without user-input isolationcache-poisoning-vector

Release/publish without provenance attestationrelease-no-provenanceAuto-fix

CICD-SEC-10: Insufficient Logging and Visibility

Insufficient logging and visibility risks refer to the lack of proper logging mechanisms and visibility into CI/CD processes.

OWASP

Rules for this category are on the roadmap.