It started with a misconfigured CI runner. A developer had a Jenkins pipeline building Docker images. The container ran as root. A dependency had a known RCE vulnerability. When the exploit landed, the attacker had root inside the container, and because that process was root, they also had root on the host. They pivoted to the secrets store, grabbed credentials, and spent three weeks inside the network before anyone noticed. ...
Note: This guide combines personal experience from writing deployment scripts across macOS, Linux, and Windows environments with patterns documented in the Python pathlib documentation, Git documentation, PowerShell cross-platform guidance, Python subprocess module, and GitHub Actions runner images. A deployment script that works on macOS. A colleague runs it on Windows. It fails immediately. The culprit? A hardcoded forward slash in a file path. I’ve seen this exact scenario play out multiple times over the past five years, and it’s almost always preventable. ...
Update (January 2026): The package versions in this tutorial were current as of March 2024. While the concepts and approach remain valid, you should check for newer versions of the tools mentioned (Hadolint, Terrascan, pre-commit hooks, etc.). Most importantly, update actions/checkout@v3 to actions/checkout@v4 in your workflows - v3 uses deprecated Node.js 16. As I continue this series on CI/CD pipeline security, it is time to now work on securely building and deploying our application. This post picks up where my Build Secure Python Pipelines: Adding Tests and Hooks in Action post left off. ...
As we continue this series started in my Getting Started with Secure CI/CD: Essential Practices for Beginners post, I’ll be securing my Python code with automated testing and hooks. While some of this information builds on some previous posts I’ve created in the past, Adding pre-commit Hooks to Python Repo Writing Tests For Your Python Project I still wanted to incorporate these together in a meaningful way. My goal is to help anyone that is trying to figure out how to piece together their own pipeline. ...
I think it’s time to focus on a few key practices for beginners to implement secure CI/CD. I’ve been building the idea on the idea of a CI/CD pipeline in a bunch of the below posts: Securing Your CI/CD Pipeline: A Beginner’s Guide to Implementing Essential Security Measures Automate Your Database Changes with a CI/CD Pipeline How to Build a CI/CD Pipeline for Your Database Infrastructure as Code with Terraform and GitHub Actions: A Kubernetes Case Study Adding pre-commit Hooks to Python Repo Writing Tests For Your Python Project All of these articles are a scattering of topics based upon some of the daily randomness that I’ve faced in my work life. After looking at all of these articles, I realized that they are a good basis for building out a secure CI/CD pipeline but the steps aren’t connected very well. ...