Attacking continuous delivery/continuous deployment (CI/CD) pipelines.

CIS Benchmark: https://workbench.cisecurity.org/benchmarks/7555

Top 10 CI/CD Security Risks

Link: https://github.com/cider-security-research/top-10-cicd-security-risks

CI/CD Attack path

Jenkins

Also see

Check for:

Build/Replay permission (that allows replaying a Pipeline build with a modified script Or with additional Groovy code)
Check for GitHub OAuth Plugin - try and register with external user.

Recommendation for Jenkins

Jenkins should not be accessible from the Internet
Jenkins should be running under a non root-user

GitLab

Check

Check for: