Skip to content

CI/CD pipelines are critical touchpoints in modern software development where code-level vulnerabilities, container security, and vulnerability remediation efforts converge. This SIG is dedicated to advancing security tooling within CI/CD pipelines, with a focus on defining best security practices and developing frameworks for secure pipeline.

Notifications You must be signed in to change notification settings

cdfoundation/CICD-Cybersecurity

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 

Repository files navigation

CI/CD Cybersecurity SIG Overview

Continuous Integration and Continuous Delivery (CI/CD) pipelines are critical touchpoints where code-level vulnerabilities, container security, and vulnerability remediation efforts converge in modern software development. As security demands rise across the software lifecycle—from code to cloud—CI/CD teams are increasingly tasked with embedding cybersecurity guardrails directly into their processes. This SIG is dedicated to advancing security tooling within CI/CD pipelines, with a focus on defining DevSecOps best practices and developing frameworks for secure pipeline implementation from code to cloud.

The CI/CD Cybersecurity SIG will play a pivotal role in advancing CI/CD security and supporting organizations in meeting modern cybersecurity demands. With focused efforts on integration frameworks, best practices, and emerging tooling, this SIG will address the critical need to embed security into every stage of the CI/CD pipeline, ensuring a resilient and secure software development lifecycle.

Why This SIG Is Needed

There is a pressing need for stronger security measures within CI/CD, as underscored by industry trends and research:

  • Rising Vulnerabilities: In 2024 alone, over 500,000 new vulnerabilities were discovered, many of which remain unaddressed for extended periods, often exceeding a year. A slow response to these vulnerabilities can be costly: IBM estimates that delays in vulnerability remediation cost enterprises an average of $5.5 million annually.
  • Expanding Threat Landscape with AI: The push to develop AI-driven solutions has introduced new security challenges. This trend has broadened the attack surface, necessitating additional tooling to secure models and pipelines related to Large Language Models (LLMs) and AI workloads. The evolution of CI/CD pipelines is crucial to address these mounting security concerns. While organizations like the CNCF and OpenSSF are incubating innovative security tools, discussions on integrating these tools within CI/CD pipelines remain limited.

SIG Goals and Objectives

The CI/CD Cybersecurity SIG aims to:

  • Develop Integration Frameworks: Create specifications and standards for integrating open-source security tooling into CI/CD pipelines.
  • Promote Security Best Practices: Establish security guardrails and best practices for CI/CD teams, covering key areas like code-level security, container security, and vulnerability management.
  • Identify and Evaluate Emerging Tools: Serve as a resource to evaluate and recommend new open-source and proprietary tools that align with evolving security requirements within CI/CD.
  • Collaborate with Industry Leaders: Engage with projects under CNCF, OpenSSF, and other relevant foundations to promote cross-community collaboration and adoption of CI/CD security solutions.

Scope of Work

The SIG will focus on:

Audience and Participants

The effort should be open to all involved in the field of CI/CD, AI, and Security. Within CDF it is essential we engage our broader community, including:

  • Open-source project communities from the CDF, OpenSSF, and CNCF
  • CDF and OpenSSF Ambassadors
  • OpenSSF DevRel Committee
  • CDF CD Events
  • CDF Member companies
  • CDF End User Council participants

Members

  • Tracy Ragan (@tracyragan), DeployHub (TOC Sponsor)
  • Sacha Wharton (@sachajw), i1 Solutions, Ortelius Security Team
  • Joshua Blengino, CloudBees
  • Tony Carrato (@tcarrato68), Technical Security Advisor
  • Brian Dawson, DeployHub
  • Jude Wellington, Jenkins Meetup Organizer
  • Kate Scarcella (@k8scarcella), Cybersecurity Architect Consultant, Ortelius Architecture Team
  • Utkarsh Sharma (@codeWithUtkarsh) Acutro, Ortelius Architecture Team
  • Jing Chen (@jdchen5), Consultant HSBC

New Members

Membership to the CDF CI/CD Cybersecurity SIG is open to the public and self-declared.

New members are advised to:

  • Join the SIG and CDF TOC mail lists.
  • Join the SIG-CICD-Cybersecurity Slack Channel
  • Join the mailing list
  • Go through the README.md document.
  • Submit a PR to add yourself to the members list.
  • Regularly join the SIG Meetings.
  • Here are various ways to get involved:
    • Share your thoughts by joining the meetings or by posting to maillist.
    • Present a project the community you are part of is working on.
    • Add a topic you would like to discuss to the agenda.
    • Create a new issue to start gathering feedback and collaborating.
    • Choose an issue where help is needed and comment on it expressing interest.
    • Propose a Proof of Concept

Governance

CI/CD Cybersecurity is a CDF Special Interest Group. Governance details for this SIG can be found here

About

CI/CD pipelines are critical touchpoints in modern software development where code-level vulnerabilities, container security, and vulnerability remediation efforts converge. This SIG is dedicated to advancing security tooling within CI/CD pipelines, with a focus on defining best security practices and developing frameworks for secure pipeline.

Resources

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published