Ambush from All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines
Ziyue Pan, Wenbo Shen, Xingkai Wang, Yutian Yang, Rui Chang, Yao Liu, Chengwei Liu, Yang Liu, Kui Ren
TL;DR
Ambush from All Sides investigates security threats in OSS CI/CD pipelines by conducting a large-scale measurement of over 324,672 GitHub repositories and developing CIAnalyser to extract security-critical signals from pipeline configurations and scripts. It constructs a threat model, analyzes attack surfaces across input, runtime, and output, and validates five real-world attack cases demonstrating credential leakage, private code exposure, remote code execution, backdoored artifacts, and deployment tampering. The study reveals heavy reliance on a few core scripts and runtimes (notably Node.js and Docker), long update lags for script usage, and several severe CVEs in CI/CD scripts, underscoring significant supply-chain and runtimes-level risks. It offers mitigations spanning secure configurations, trusted scripts, and hardened CI/CD infrastructure to reduce risk and confine potential damages in the OSS software ecosystem.
Abstract
The continuous integration and continuous deployment (CI/CD) pipelines are widely adopted on Internet hosting platforms, such as GitHub. With the popularity, the CI/CD pipeline faces various security threats. However, current CI/CD pipelines suffer from malicious code and severe vulnerabilities. Even worse, people have not been fully aware of its attack surfaces and the corresponding impacts. Therefore, in this paper, we conduct a large-scale measurement and a systematic analysis to reveal the attack surfaces of the CI/CD pipeline and quantify their security impacts. Specifically, for the measurement, we collect a data set of 320,000+ CI/CD pipeline-configured GitHub repositories and build an analysis tool to parse the CI/CD pipelines and extract security-critical usages. Besides, current CI/CD ecosystem heavily relies on several core scripts, which may lead to a single point of failure. While the CI/CD pipelines contain sensitive information/operations, making them the attacker's favorite targets. Inspired by the measurement findings, we abstract the threat model and the attack approach toward CI/CD pipelines, followed by a systematic analysis of attack surfaces, attack strategies, and the corresponding impacts. We further launch case studies on five attacks in real-world CI/CD environments to validate the revealed attack surfaces. Finally, we give suggestions on mitigating attacks on CI/CD scripts, including securing CI/CD configurations, securing CI/CD scripts, and improving CI/CD infrastructure.