DEV Community

Cover image for Attacking CI/CD Tools The Crown Jewels — Series 2
vasant
vasant

Posted on

Attacking CI/CD Tools The Crown Jewels — Series 2

Introduction

Automating to build projects based on pull requests is something DevOps teams cannot avoid in CI/CD pipelines. When you set up automated builds (also called auto builds), you create a list of branches and tags that you want to build. When you push code to a source code branch for one of those listed image tags, the push uses a webhook to trigger a new build.

In the previous blog post, we have seen different techniques such as gaining access to build servers, cloud infrastructure, and backdooring build servers.

In this blog post, we will see how internal users with no access to build servers harness automated build triggers to their advantage to gain access to the build servers and infrastructure.

Such attacks are evident in companies that open-source their projects and accept contributions from external sources.

Top comments (0)