Why Traditional DevOps Security Tools Miss CI/CD Pipeline Attacks

by Tom Hamilton, CTO and Co-Founder, InvisiRisk, Inc.

Key Takeaways:

• CI/CD pipeline attacks increasingly target build systems and pipeline configuration, not just source code.

• SCA, SAST, DAST, and IaC tools are still essential, but they do not stop build-time secret exfiltration, build-environment tampering, or runtime abuse inside the pipeline.

• A Build Application Firewall (BAF) enforces security policies inline during the build by understanding build communications protocols and how pipeline components actually behave during execution.

The uncomfortable truth is that a CI/CD pipeline can look secure on paper and still leak secrets or produce compromised builds in practice. Scanners are excellent at finding known issues in source code, open-source dependencies, and infrastructure as code, but many modern software supply chain attacks happen during execution, when credentials exist, dependencies are fetched, and the build environment itself can be manipulated. That is the gap this post examines, and it is why we believe CI/CD pipeline security needs a control layer that can monitor first and then enforce policy inline once safe baselines are established.

CI/CD pipeline attacks have grown steadily since SolarWinds made the software supply chain impossible to ignore. Earlier attacks often focused on vulnerable code, compromised dependencies, or unpatched systems, so security teams responded by investing heavily in code-centric controls. That made sense, but it also shaped the market around where the problem used to be rather than where it is now.

As DevOps teams deployed SCA, SAST, DAST, and IaC tools, attackers adapted. Instead of focusing only on source code, they began targeting pipeline configuration, build scripts, ephemeral credentials, runners, and the build environment itself. A second wave of tools emerged to validate configuration settings, but the attack surface kept expanding, along with tool sprawl, cost, and operational complexity.

Why CI/CD Pipeline Security Is So Difficult

One reason software supply chain security remains so challenging is the complexity of the modern build process. CI/CD pipelines interact with both internal and external resources across the build environment. Open source packages alone now make up more than 75% of most codebases, but they are only one part of the broader dependency and build ecosystem. Beyond open source, that ecosystem also includes container images, operating system images, build infrastructure, package registries, and network services.

Recent GitHub Actions incidents have shown how dependency chains inside automation workflows can become an effective attack vector. When multiple layers are exposed at once, detection becomes much harder.

The distributed architecture of a build pipeline makes the problem even harder. Multiple nodes often participate in the workflow from developer check-in through artifact creation, testing, signing, and deployment. A build controller orchestrates those steps through constant two-way communication with build nodes, which means the system is not just evaluating code. It is continuously issuing commands, exchanging data, handling secrets, and making trust decisions across the network. The diagram below shows a high-level view of a typical CI/CD pipeline.

Figure 1: Generic CI/CD Pipeline

As shown in Figure 1, a build pipeline is made up of multiple networked nodes performing specialized operations. Protecting the nodes themselves is difficult enough, but each node can contain several layers of software, services, credentials, and runtime dependencies. That dramatically increases the complexity of CI/CD pipeline security. The diagram below illustrates a representative nodal architecture and highlights several potential attack vectors.

Figure 2: Build Pipeline Nodal Architecture and Threats

Where Existing Security Tools Fall Short

Most existing tools protect only one stage of the pipeline. They provide important coverage, but they do little to secure the upstream and downstream interactions that determine whether the build environment itself can be trusted. A software composition analysis tool can identify known vulnerabilities or licensing issues in open-source dependencies, but it cannot stop secret exfiltration during execution. Secret scanners can inspect repositories and scripts for exposed credentials, but they are ineffective against in-memory exploits that appear during the build and then remove themselves after exfiltration. SAST tools can identify risky constructs in source code or binaries, but they are not designed to stop a modified build script or a malicious runtime action once the pipeline is underway.

The complexity of the build environment makes threat detection and response exceptionally difficult. In many cases, the compromise is discovered only after damage has already been done. Learning that a signing key was stolen is useful, but not if attackers have already used it to sign fraudulent software before the incident is detected. What teams need is a way to detect and stop malicious behavior in real time so compromised artifacts never reach downstream customers, partners, or production systems.

What a Build Application Firewall Does Differently

This broad and dynamic attack surface cannot be secured simply by adding more scanners and configuration checkers. A different approach is needed, one that can observe what is happening during the build and validate behavior inline while the process is still running. That is the problem we set out to address at InvisiRisk.

The InvisiRisk Build Application Firewall (BAF) is designed to understand the protocols used inside build communications stacks so it can validate and enforce security policy in real time. By monitoring build-time network transactions, it can detect attempts to corrupt the environment, exfiltrate data, inject unauthorized dependencies, or remotely control pipeline components. After the build, AI-based anomaly detection can analyze build traffic patterns, surface suspicious behavior, and recommend additional policies to strengthen cyber defense over time.

We believe this represents an important step forward in software supply chain security. Build systems are now active attack surfaces, not just passive automation tools. As a result, modern teams need a control layer that can help them monitor, validate, and eventually enforce trusted behavior across the build and deployment pipeline without turning CI into a bottleneck.

How to Improve CI/CD Pipeline Security Now

A practical first step is to assess where your build system is most exposed: runner communications, credential handling, dependency retrieval, artifact signing, and policy enforcement during execution.

Schedule a build system security assessment with an InvisiRisk account manager.

References:

• https://linuxfoundation.eu/newsroom/the-rising-threat-of-software-supply-chain-attacks-managing-dependencies-of-open-source-projects

• https://danacrane.medium.com/software-supply-chain-security-enters-the-trough-of-disillusionment-aac4a5d291fc

• https://www.intel.com/content/www/us/en/developer/articles/guide/the-careful-consumption-of-open-source-software.html