# CI/CD Posture Policies CI/CD Posture policies detect insecure configurations, integrations, and behaviors within continuous integration and delivery environments. These policies focus on workflows, permissions, webhooks, secrets handling, and tool usage that affect pipeline integrity. Proper CI/CD posture reduces the risk of unauthorized access, supply chain compromise, and insecure code reaching production. The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the [Policies ](https://docs.ox.security/ox-policies)article.

## View and manage CI/CD Posture policies Open each policy to view the business impact and optional settings.

Anomaly in webhook usage

**Purpose:** Detects uncommon or anomalous webhook configurations that may indicate unauthorized or persistent access to code repositories. **Business impact:** Anomalous webhooks can allow long-term unauthorized access after account compromise. They may also expose source code or secrets through unintended data transfer. This increases the risk of data leakage and supply chain compromise.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Max Repos Process	An issue will only be generated if the webhook URL is present in less than the selected percentage of repositories.	Current setting
Max Repos Count	An issue will only be generated if the webhook URL is present in less than the selected count of repositories.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
Domain Exclusions (dropdown)	Webhooks utilizing domains with the specific regex will not generate issues. Select from the list.	Current setting

CI/CD bot can approve code review

**Purpose**: Detects repository configurations that allow CI/CD bots to approve code reviews. **Business impact:** Allowing bots to approve reviews enables self-review bypass of branch protection rules. A single compromised developer account can push unreviewed code to protected branches. This increases the risk of introducing malicious or insecure changes into production.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repos Type (dropdown)	Choose if the policy applies to private, public, or all repo types.	Current setting
Only Enforce with Branch Protection (checkbox)	If enabled the policy will only be checked for repos with branch protection requiring code reviews	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

CI/CD context values in workflow

**Purpose:** Detects CI/CD workflows that use context values in execution paths without validation. **Business impact:** Untrusted context values can enable injection of malicious content into workflows. This may lead to unintended command execution or abuse of CI/CD actions and APIs. Such exposure increases the risk of pipeline compromise.

{% hint style="info" %} This policy currently applies to GitHub only. {% endhint %}

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
SCA (dropdown)	Select one or more approved SCA applications.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

CI/CD workflow security issue

**Purpose:** Detects invalid configuration settings and security vulnerabilities within CI/CD workflow files. **Business impact:** Insecure workflow files can allow unauthorized changes, unintended execution, or abuse of CI/CD capabilities. These weaknesses increase the risk of pipeline compromise and introduction of malicious code. Failure to address them can undermine the integrity of the build and deployment process.

Setting	Description	Defau
ON/OFF (toggle)	Enable/disable the policy.	ON
Show issues of severity (dropdown)	Limits which severities appear as issues.	All (including Info)
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Deprecated command in workflow

**Purpose:** Detects CI/CD workflows that use deprecated GitHub Actions commands with known security weaknesses. **Business impact:** Deprecated commands can expose workflows to injection vulnerabilities during execution. Attackers may exploit these weaknesses to manipulate paths or environment variables. Continued use increases the risk of workflow compromise and unintended code execution.

{% hint style="info" %} This policy currently applies to GitHub only. {% endhint %}

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Excessive permissions in workflow file

**Purpose**: Detects CI/CD workflow files that request permissions exceeding what is required for job execution. **Business impact:** Excessive permissions increase the impact of token exposure during workflow execution. A compromised token can grant attackers broader access to the repository or allow bypass of controls such as required reviews. Limiting permissions reduces the blast radius of credential misuse and pipeline compromise.

{% hint style="info" %} This policy currently applies to GitHub only. {% endhint %}

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Excessive permissions in workflow setting

**Purpose:** Detects CI/CD workflows where permission settings grant broader access than required, based on GitHub API configuration data. **Business impact:** Overly permissive workflow settings increase the impact of token theft or misuse. Compromised tokens may allow attackers to access repositories, secrets, or bypass review requirements. Applying least-privilege permissions limits the potential damage from compromised CI/CD credentials.

{% hint style="info" %} This policy currently applies to GitHub only. {% endhint %}

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Incorrect storage of secret in GitHub Action

**Purpose:** Detects GitHub Actions configurations where sensitive values are stored as variables instead of encrypted secrets. **Business impact:** Storing secrets in plaintext variables increases the risk of exposure if a runner is compromised. Exposed credentials can be used to access repositories, services, or infrastructure. Proper secret storage reduces the likelihood of credential leakage and unauthorized access.

{% hint style="info" %} This policy currently applies to GitHub only. {% endhint %}

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility	Determines if this policy applies to public repos, private repos or both.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Malicious webhook

**Purpose:** Detects webhook URLs with a malicious reputation based on threat intelligence sources. **Business impact:** Malicious webhooks can provide attackers with continuous visibility into code and environment changes. They may enable data exfiltration or support persistence after a breach. Leaving such webhooks in place increases the risk of ongoing compromise.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Secret echoed in workflow console

**Purpose:** Detects CI/CD workflows that output secret values to logs or console output. **Business impact:** Exposed secrets in workflow logs can be accessed by users with log visibility or, in public logs, by anyone. Compromised credentials may enable unauthorized access to systems or services. This increases the risk of data breaches and lateral movement.

{% hint style="info" %} This policy currently applies to GitHub only. {% endhint %}

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	OFF
Repo Visibility	Determines if this policy applies to public repos, private repos or both.	Current setting
Show issues of severity (dropdown)	Limits which severities appear as issues.	All (including Info)

Suspicious webhook

**Purpose:** Detects webhook URLs with a suspicious reputation based on threat intelligence sources. **Business impact:** Suspicious webhooks may indicate early-stage compromise or unauthorized monitoring of repository activity. They can expose information about code changes and environments. Failure to investigate increases the risk of escalation to persistent or malicious access.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Unauthorized CI/CD used

**Purpose:** Detects code repositories that are built or deployed using CI/CD systems not approved by the organization. **Business impact:** Use of unauthorized CI/CD bypasses required guardrails, tests, and security checks. Code changes may reach production without validation. This increases the risk of introducing vulnerabilities or malicious code.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
CI/CD	Select one or more approved to be used CI/CD tools for this policy.	Current setting
Ignore Business Priority Less Than	Ignore repos with a Business Priority that is less than the value entered.	Current setting

Unauthorized serverless function deployment

> **Note:** This capability is currently in Early Access (EA) and is not generally available. To request access, please contact OX technical support. **Purpose:** Detects serverless functions that are deployed without using an authorized CI/CD application. **Business impact:** Unauthorized deployment bypasses required build, test, and security controls. Functions may run with insecure code or misconfigurations. This increases the risk of runtime vulnerabilities and unauthorized behavior in production.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF
Ignore Business Priority Less Than	Ignore repos with a business priority that is less than the value entered.	Current setting

Unpinned (SHA) third-party actions in GitHub

**Purpose:** Detects GitHub Actions workflows that reference third-party actions without pinning them to a specific commit Service Hash Algorithm (SHA). **Business impact:** Unpinned actions can change without notice and introduce malicious or insecure behavior. A compromised action may access repository secrets or use the GITHUB\_TOKEN to modify code. This increases the risk of supply chain attacks through CI/CD workflows.

{% hint style="info" %} This policy currently applies to GitHub only. {% endhint %}

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Repo Visibility	Determine if this policy applies to public repos, private repos or both.	Current setting
Skip Verified Creators	If the repo creator is verified, no violation will occur.	ON
Exclude Actions Creators	When the action creator is excluded, no violation occurs. Click to add values.	Current setting
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Webhook with unknown reputation

**Purpose:** Detects webhook URLs with an unknown reputation based on threat intelligence sources. **Business impact:** Webhooks with unknown reputations may indicate unauthorized or unverified integrations. They can expose information about code changes and environments. Failure to validate these webhooks increases the risk of data exposure and persistent access.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Webhook without secret key

**Purpose:** Detects webhooks that are configured without a secret key for request validation. **Business impact:** Webhooks without a secret key cannot verify the authenticity of incoming requests. Attackers may spoof webhook calls to trigger unauthorized actions or extract data. This weakens trust in CI/CD integrations and increases the risk of abuse.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Ignore Application Business Priority for severity calculation (checkbox)	When enabled, severity is not adjusted based on application priority.	OFF

Webhook without SSL/TLS

**Purpose:** Detects webhooks that communicate over connections not secured with SSL/TLS. **Business impact:** Unencrypted webhook traffic can be intercepted or modified in transit. Exposed data may include code or sensitive metadata. This increases the risk of data leakage and man-in-the-middle attacks.

Setting	Description	Default
ON/OFF (toggle)	Enable/disable the policy.	ON
Show issues of severity (dropdown)	Limits which severities appear as issues.	All (including Info)

## View policy issues 1. Open the Active Issues page. 2. Use the **Category** filter and select the policy category to view related active issues. 3. Use the **Policy** filter to narrow the list to a specific policy. 4. Apply the Category and Policy filters separately or together, depending on how specific you want the results to be. 5. Use the search box to refine results, such as filtering by file name, keyword, or rule identifier. ## Create or save policy profiles When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one. * To save the current profile, click **SAVE** in the page header. * To create a new profile, click **SAVE AS** in the page header. For instructions, see the section [Create or edit policy profiles ](https://open-2c.gitbook.com/url/preview/site_RHimt/~/revisions/esBak1HVuTgsCEeNbzHE/policies?theme=light#create-or-edit-policy-profiles)in the [Policies ](https://docs.ox.security/ox-policies/policies)article.