pipeline-security

Solid

Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.

AI & Automation 15 stars 3 forks Updated today MIT

Install

View on GitHub

Quality Score: 86/100

Stars 20%
40
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# Skill: Pipeline Security > **Expertise:** OIDC cloud auth, least-privilege workflow permissions, secret scanning, keyless artifact signing, SLSA provenance, and admission policy checks. ## When to load When designing or hardening CI/CD pipelines for production deployments, especially where compliance or high-risk workloads are involved. ## Security Outcomes (definition of done) - Pipeline uses **OIDC federation** (no long-lived cloud keys in CI secrets). - Artifacts are **signed keylessly** and verified with identity constraints. - **Provenance + SBOM** are generated and validated before deploy. - Workflows use **minimal GitHub/GitLab permissions**. - Runtime admission policies block unsigned/unattested artifacts. ## OIDC Authentication (no long-lived credentials) ```yaml jobs: deploy: permissions: id-token: write contents: read steps: - uses: aws-actions/configure-aws-credentials@<pinned-sha> with: role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy aws-region: us-east-1 ``` - Constrain trust policy by repo, ref, and workflow identity. - Prefer short session duration and environment-scoped roles. ## Minimal Permissions Model ```yaml permissions: contents: read id-token: write packages: write ``` - Deny by default; explicitly request only required scopes. - Split build and deploy into separate jobs with separate permissions. ## Keyless Signing + Verification ```bash # Sign immutable ...

Details

Author
sawrus
Repository
sawrus/agent-guides
Created
3 months ago
Last Updated
today
Language
Shell
License
MIT

Integrates with

GitLab · DevTools

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Listed

cicd-hardening

CI/CD pipeline hardening for GitHub Actions and GitLab CI — trust-model (pull_request_target vs pull_request), action pinning to SHA, OIDC-based cloud access, permissions minimization, runner isolation, and supply-chain gates (SLSA provenance, signing).

4 Updated 1 weeks ago
roodlicht
AI & Automation Listed

deployment-pipeline-design

Design multi-stage CI/CD pipelines with approval gates, security checks, and deployment orchestration. Use when architecting deployment workflows, setting up continuous delivery, or implementing GitOps practices.

2 Updated today
Mohammadibrahim55
Web & Frontend Listed

building-ci-pipelines

Constructs secure, efficient CI/CD pipelines with supply chain security (SLSA), monorepo optimization, caching strategies, and parallelization patterns for GitHub Actions, GitLab CI, and Argo Workflows. Use when setting up automated testing, building, or deployment workflows.

368 Updated 5 months ago
ancoleman
AI & Automation Solid

sigstore-signing

Sign container images and artifacts with cosign (keyless via OIDC and key-based); verify signatures in CD pipelines and admission policies.

15 Updated today
sawrus
DevOps & Infrastructure Listed

deployment-pipeline-design

Design multi-stage CI/CD pipelines with approval gates, security checks, and deployment orchestration. Use when architecting deployment workflows, setting up continuous delivery, or implementing GitOps practices.

22 Updated 6 days ago
HermeticOrmus