Your CI/CD pipeline is the most privileged account in your infrastructure. It deploys to production, accesses secrets, and runs on every commit. Yet, many security policies treat it like any other system.
Version control systems and artifact repositories are central to software delivery, making them high-value targets. A compromised pipeline can inject malicious code into every build, bypass code reviews, and ship vulnerabilities straight to production. You need a specific policy that treats pipeline security as a critical control point.
This template provides a CI/CD security policy you can adapt to your environment. It covers authentication, secrets management, build integrity, and deployment controls—the four areas where most pipeline compromises occur.
Purpose of This Template
This policy template establishes security controls for your CI/CD infrastructure. Use it to:
- Define authentication and authorization requirements for pipeline access
- Specify how secrets and credentials are managed in build processes
- Set requirements for build integrity and artifact validation
- Document deployment approval workflows
- Create audit logging standards for pipeline activity
The template assumes you're running modern CI/CD tools (GitHub Actions, GitLab CI, Jenkins, CircleCI, or similar) and need to meet compliance requirements like SOC 2 Type II or ISO 27001. If you're subject to PCI DSS, focus on the secrets management and change control sections—Requirement 6.5.3 and 6.5.4 specifically address secure coding practices and change management that start in your pipeline.
Prerequisites
Before implementing this policy, ensure you have:
- Inventory of pipeline components: List every CI/CD tool, runner, build agent, and deployment target.
- Current access list: Document who has admin access to your CI/CD platform and why.
- Secrets audit: Identify every secret, API key, and credential your pipelines use.
- Deployment map: Chart which pipelines can deploy to which environments.
If you lack these, start there. You can't secure what you can't see.
The Template
# CI/CD Pipeline Security Policy
## 1. Pipeline Access Control
### 1.1 Authentication
- All pipeline access requires multi-factor authentication (MFA).
- Service accounts used by pipelines must use short-lived tokens (max 1 hour).
- No shared credentials between team members.
- Pipeline admin access requires approval from [ROLE] and annual recertification.
### 1.2 Authorization
- Apply least privilege: pipelines receive only the permissions needed for their specific job.
- Production deployment pipelines require separate approval from non-production.
- Pipeline configuration changes require pull request review by [NUMBER] security-cleared reviewers.
- Runners executing production deployments must not execute code from forks or external contributors.
## 2. Secrets Management
### 2.1 Secret Storage
- All secrets stored in a dedicated secret management system [SPECIFY: HashiCorp Vault, AWS Secrets Manager, etc.].
- No secrets in pipeline configuration files, environment variables visible in logs, or git history.
- Secrets rotated every [TIMEFRAME] or immediately upon suspected compromise.
- Each pipeline uses unique credentials—no credential reuse across projects.
### 2.2 Secret Access
- Secrets injected at runtime, never persisted to disk on runners.
- Secret access logged with pipeline ID, timestamp, and requesting identity.
- Failed secret access attempts trigger alert to [TEAM/ROLE].
## 3. Build Integrity
### 3.1 Source Verification
- All source code changes require branch protection: [NUMBER] reviewer approvals, signed commits.
- Pipeline definitions stored in version control and subject to the same review process as application code.
- Dependencies pinned to specific versions with cryptographic hash verification.
- Dependency updates trigger security scan before merge.
### 3.2 Build Process
- Build environments use immutable base images, rebuilt from known-good sources [FREQUENCY].
- No internet access from build runners except to approved package repositories.
- Build artifacts signed with organizational key before storage.
- Build logs retained for [TIMEFRAME] and monitored for anomalies.
## 4. Deployment Controls
### 4.1 Environment Separation
- Separate pipelines for development, staging, and production with no shared credentials.
- Production deployments require manual approval from [ROLE].
- Rollback procedures documented and tested [FREQUENCY].
### 4.2 Deployment Validation
- Automated security scans (SAST, dependency check, container scan) must pass before deployment.
- Production deployments logged with: deployer identity, artifact hash, timestamp, approval chain.
- Post-deployment verification runs automated tests confirming expected behavior.
## 5. Monitoring and Audit
### 5.1 Logging
- All pipeline executions logged: start time, duration, exit code, deployer, changed files.
- Configuration changes to pipeline definitions logged separately.
- Logs forwarded to SIEM within [TIMEFRAME].
### 5.2 Alerting
- Failed authentication attempts to pipeline systems.
- Secrets accessed outside normal working hours [DEFINE HOURS].
- Pipeline configuration changes.
- Deployment to production outside change window.
### 5.3 Review
- Quarterly access review: validate all pipeline admin accounts still require access.
- Annual policy review: update based on new threats and tooling changes.
Customizing the Template
Replace bracketed placeholders with your organization's specifics:
- [ROLE]: Define who approves what. Common choices: "Security Engineering Manager" for admin access, "Engineering Lead + Security Engineer" for production pipeline changes.
- [NUMBER]: Set review requirements based on risk. Start with 2 reviewers for production pipeline configs, 1 for non-production.
- [TIMEFRAME]: Balance security and operational overhead. Suggested starting points: secret rotation every 90 days, log retention 1 year, policy review annually.
- [SPECIFY]: Name your actual tools. "HashiCorp Vault" is more useful than "secret management system."
Consider adding sections for infrastructure-as-code or container registry security if applicable.
Validation Steps
After implementing this policy:
- Test authentication controls: Attempt to access your CI/CD platform without MFA. It should fail. Try accessing production pipeline configs without proper approval. Should fail.
- Audit secrets exposure: Run
git log -p | grep -i 'password\|secret\|key'on your pipeline config repos. Any hits indicate secrets that need immediate rotation and process fixes. - Verify build isolation: SSH into a build runner during execution. Check network connectivity—you should only reach approved repositories. Check filesystem—previous builds' artifacts should not be present.
- Review logs: Confirm pipeline execution logs reach your SIEM. Verify they include deployer identity and artifact hashes. Test that your alerting fires by triggering a failed authentication attempt.
- Validate deployment controls: Attempt to deploy to production without required approvals. The pipeline should block it. Check that deployment logs capture the full approval chain.
Run these validations quarterly, not just at implementation. Your pipeline evolves—new tools, new integrations, new team members. Each change is an opportunity for security controls to drift.
If validation fails, don't just fix the immediate issue. Investigate why the control failed and whether your policy needs updating. A failed MFA check might mean your onboarding process doesn't cover CI/CD access. A secret in logs might mean your secret injection method needs replacement, not just that one secret needs rotation.
Your CI/CD pipeline is infrastructure. Treat its security policy with the same rigor you apply to your production environment—because when your pipeline is compromised, your production environment is next.
