Attacking CI/CD Tools The Crown Jewels — Series 2

Introduction

Automating to build projects based on pull requests is something DevOps teams cannot avoid in CI/CD pipelines. When you set up automated builds (also called auto builds), you create a list of branches and tags that you want to build. When you push code to a source code branch for one of those listed image tags, the push uses a webhook to trigger a new build.

In the previous blog post, we have seen different techniques such as gaining access to build servers, cloud infrastructure, and backdooring build servers.

Attacking CI/CD Tools The Crown Jewels — Series 2 | by Vasant Chinnipilli | The Innovation | Jul, 2020 | Medium

Vasant Chinnipilli ・ Jul 24, 2020 ・ 4 min read

Medium

In this blog post, we will see how internal users with no access to build servers harness automated build triggers to their advantage to gain access to the build servers and infrastructure.

Such attacks are evident in companies that open-source their projects and accept contributions from external sources.