Draft Recommendations for Securing SaaS CI/CD Platforms

Question

Draft Recommendations for Securing SaaS CI/CD Platforms

Opened this issue 4 years ago · 1 comments

As a Flexion engineer, in order to be confident in the sanity and safety of my build artifacts and related data, I would like guidance on how to properly configure SaaS CI/CD platforms, including, but not exclusively limited to:

Github Actions
CircleCI
Travis

Answer 1 · 2020-11-05T19:25:13.000Z

As discussed in November 5, 2020 Security Guild, we should look into guidance on:

Github Actions itself and potentially:
- secrets storage
- secure command syntax in their YAML specification
- ancillary services:
  - Github Container Registry
  - Github Registry (for package manager for language runtimes)
  - Github Storage
CircleCI
Travis