Abstract: In the age of rapid digital transformation, CI/CD pipelines are the backbone of modern software development, driving faster delivery and innovation. However, this speed introduces security risks that, if exploited, can cripple systems. This presentation will explore critical vulnerabilities in CI/CD workflows, such as secrets mismanagement, dependency risks, and pipeline misconfigurations. We will demonstrate how to integrate security into CI/CD pipelines using GitHub Actions, showcasing safe practices for securing workflows, identifying malicious activities, and managing secrets. Key tools like SAST and DAST, secret scanning, and dependency analysis will be discussed. Through case studies such as the PHP Git infrastructure compromise and Dependency Confusion attack, we will highlight the importance of proactive security measures. Best practices for fortifying pipelines, including least-privilege access and centralized logging, will also be covered.
Aastha Aggarwal is a Security Engineer at Flipkart with two years of experience in application security. A bibliophile with a passion for solving puzzles, she is driven by curiosity to explore innovative methods for securing modern workflows.
Currently, she is working on developing a secret scanner tool and is open to discussions about it.