Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication
Surya Teja Avirneni
TL;DR
The paper addresses the security gaps in CI/CD identity by moving from static secrets and platform-bound tokens to runtime-issued SPIFFE-based workload identities. It presents SPIFFE and SPIRE as a runtime identity model with attestation, SVIDs, and trust-domain federation to enable cross-cloud, cross-organization authentication. The key contributions include applying SPIFFE to CI/CD workflows, enabling just-in-time, least-privilege access through policy-based authorization, and outlining federation mechanisms across domains. This approach reduces secret leakage, improves auditability, and advances Zero Trust principles in modern software delivery pipelines.
Abstract
CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems. In enterprise environments, these platforms are centralized and shared across teams, often with broad cloud permissions and limited isolation. These conditions introduce risk, especially in the era of supply chain attacks, where implicit trust and static credentials leave systems exposed. This paper describes the shift from static credentials to OpenID Connect (OIDC) federation, and introduces SPIFFE (Secure Production Identity Framework for Everyone) as a runtime-issued, platform-neutral identity model for non-human actors. SPIFFE decouples identity from infrastructure, enabling strong, portable authentication across job runners and deployed workloads. We show how SPIFFE identities support policy alignment, workload attestation, and mutual authentication. The paper concludes by outlining next steps in enabling policy-based access, forming the basis of a broader Zero Trust architecture for CI/CD.