Why CI/CD Pipelines Have Become Attackers' Prime Target
The hottest software supply chain security issue in 2026 is attacks targeting CI/CD pipelines. As over 85% of modern application codebases consist of open-source dependencies, attackers have shifted from code review vulnerabilities to targeting build provenance.
CI/CD pipelines occupy the highest-privilege infrastructure layer, possessing source code access, cloud credentials, and production deployment authority. A successful breach gives attackers total supply chain control, maximizing attack ROI.
Major Supply Chain Attack Cases in 2026
GitHub Actions Tag Manipulation Attacks
In March 2026, attackers forcibly updated version tags of the Trivy GitHub Action, injecting malicious code. This attack exposed CI/CD secrets from affected pipelines. Trivy image tags 0.69.4, 0.69.5, and 0.69.6 on Docker Hub were also confirmed to contain information-stealing payloads.
The attack was attributed to TeamPCP, a cloud-native threat actor known for exploiting misconfigured Docker APIs and Kubernetes clusters.
Previously, the tj-actions/changed-files GitHub Action was compromised, exposing secrets from over 23,000 repositories. The attacker redirected version tags to malicious commits.
Jenkins Plugin Vulnerabilities' Structural Risk
According to JetBrains' March 2026 analysis, Jenkins experienced over 70 security vulnerabilities throughout 2025. Most were plugin-related, with many remaining unpatched in production environments even after fixes became available.
CVE-2025-31722, in particular, was a critical Remote Code Execution (RCE) vulnerability in the template engine. More concerning: over 45,000 Jenkins servers remain exposed to vulnerabilities from 2024.
The plugin-centric architecture presents clear structural problems: inconsistent security standards due to community maintenance, unresolved vulnerabilities in abandoned plugins, expanded attack surfaces from complex plugin interactions, and amplified damage scope from excessive privilege grants.
A New Defense Tool: Chainguard Actions
In response to these threats, Chainguard released Chainguard Actions in March 2026—a CI/CD security tool with a secure-by-default approach.
Chainguard Actions collects popular third-party CI/CD workflows and automatically evaluates them against comprehensive security rules. When issues are found, it auto-fixes them to provide secure versions. It continuously monitors upstream marketplace changes, automatically adjusting for security requirements.
The security approach comprises three core elements. First, it combines rule-based detection with AI to identify both known risk patterns and subtle vulnerabilities. Second, each security fix is recorded as a Git commit for audit trails. Third, when new security rules apply, it re-evaluates the entire catalog automatically.
Practical CI/CD Security Hardening Checklist
Immediately Applicable Measures
With GitHub Actions, pin actions to commit SHAs rather than tags (v1, v2). For example, use uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 instead of uses: actions/checkout@v4. This blocks tag manipulation attacks at the source.
Use OIDC-based short-lived credentials to reduce long-term secret exposure risk. AWS, GCP, and Azure all support GitHub Actions OIDC integration. Additionally, explicitly declare permissions in your workflows to enforce the principle of least privilege.
Jenkins Environment Security Hardening
Create a complete inventory of active plugins and verify each plugin's last update date and maintenance status. Remove unused plugins immediately and seek replacements for abandoned plugins or maintain your own fork.
Subscribe to Jenkins security advisories and establish processes to apply critical security patches within 48 hours. If plugin management overhead becomes excessive or you've experienced security incidents, consider migrating to an integrated CI/CD platform (GitHub Actions, GitLab CI, or commercial solutions).
Supply Chain Security Governance
Adopt the SLSA (Supply chain Levels for Software Artifacts) framework to validate build provenance. Use Sigstore/cosign to sign container images and generate SBOM (Software Bill of Materials) for dependency transparency.
Apply the same code review rigor to CI/CD configuration files (.github/workflows, Jenkinsfile, etc.) as to application code. Automate dependency updates with Dependabot or Renovate, prioritizing security updates.
Conclusion
CI/CD pipeline security is no longer optional—it's essential. 2026's supply chain attacks are increasingly sophisticated, with defenses evolving through tools like Chainguard Actions. The key is consistently applying fundamentals—SHA pinning, least privilege, and continuous monitoring—throughout your CI/CD environment.
This article was originally published on ManoIT Tech Blog.
Top comments (0)