CI/CD Posture Policies

Purpose: Detects uncommon or anomalous webhook configurations that may indicate unauthorized or persistent access to code repositories.

Business impact: Anomalous webhooks can allow long-term unauthorized access after account compromise. They may also expose source code or secrets through unintended data transfer. This increases the risk of data leakage and supply chain compromise.

Purpose: Detects repository configurations that allow CI/CD bots to approve code reviews.

Business impact: Allowing bots to approve reviews enables self-review bypass of branch protection rules. A single compromised developer account can push unreviewed code to protected branches. This increases the risk of introducing malicious or insecure changes into production.

Purpose: Detects CI/CD workflows that use context values in execution paths without validation.

Business impact: Untrusted context values can enable injection of malicious content into workflows. This may lead to unintended command execution or abuse of CI/CD actions and APIs. Such exposure increases the risk of pipeline compromise.

Purpose: Detects invalid configuration settings and security vulnerabilities within CI/CD workflow files.

Business impact: Insecure workflow files can allow unauthorized changes, unintended execution, or abuse of CI/CD capabilities. These weaknesses increase the risk of pipeline compromise and introduction of malicious code. Failure to address them can undermine the integrity of the build and deployment process.

Purpose: Detects CI/CD workflows that use deprecated GitHub Actions commands with known security weaknesses.

Business impact: Deprecated commands can expose workflows to injection vulnerabilities during execution. Attackers may exploit these weaknesses to manipulate paths or environment variables. Continued use increases the risk of workflow compromise and unintended code execution.

Purpose: Detects CI/CD workflow files that request permissions exceeding what is required for job execution.

Business impact: Excessive permissions increase the impact of token exposure during workflow execution. A compromised token can grant attackers broader access to the repository or allow bypass of controls such as required reviews. Limiting permissions reduces the blast radius of credential misuse and pipeline compromise.

Purpose: Detects CI/CD workflows where permission settings grant broader access than required, based on GitHub API configuration data.

Business impact: Overly permissive workflow settings increase the impact of token theft or misuse. Compromised tokens may allow attackers to access repositories, secrets, or bypass review requirements. Applying least-privilege permissions limits the potential damage from compromised CI/CD credentials.

Purpose: Detects GitHub Actions configurations where sensitive values are stored as variables instead of encrypted secrets.

Business impact: Storing secrets in plaintext variables increases the risk of exposure if a runner is compromised. Exposed credentials can be used to access repositories, services, or infrastructure. Proper secret storage reduces the likelihood of credential leakage and unauthorized access.

Purpose: Detects webhook URLs with a malicious reputation based on threat intelligence sources.

Business impact: Malicious webhooks can provide attackers with continuous visibility into code and environment changes. They may enable data exfiltration or support persistence after a breach. Leaving such webhooks in place increases the risk of ongoing compromise.

Purpose: Detects CI/CD workflows that output secret values to logs or console output.

Business impact: Exposed secrets in workflow logs can be accessed by users with log visibility or, in public logs, by anyone. Compromised credentials may enable unauthorized access to systems or services. This increases the risk of data breaches and lateral movement.

Purpose: Detects webhook URLs with a suspicious reputation based on threat intelligence sources.

Business impact: Suspicious webhooks may indicate early-stage compromise or unauthorized monitoring of repository activity. They can expose information about code changes and environments. Failure to investigate increases the risk of escalation to persistent or malicious access.

Purpose: Detects code repositories that are built or deployed using CI/CD systems not approved by the organization.

Business impact: Use of unauthorized CI/CD bypasses required guardrails, tests, and security checks. Code changes may reach production without validation. This increases the risk of introducing vulnerabilities or malicious code.

Note: This capability is currently in Early Access (EA) and is not generally available. To request access, please contact OX technical support.

Purpose: Detects serverless functions that are deployed without using an authorized CI/CD application.

Business impact: Unauthorized deployment bypasses required build, test, and security controls. Functions may run with insecure code or misconfigurations. This increases the risk of runtime vulnerabilities and unauthorized behavior in production.

Purpose: Detects GitHub Actions workflows that reference third-party actions without pinning them to a specific commit Service Hash Algorithm (SHA).

Business impact: Unpinned actions can change without notice and introduce malicious or insecure behavior. A compromised action may access repository secrets or use the GITHUB_TOKEN to modify code. This increases the risk of supply chain attacks through CI/CD workflows.

Purpose: Detects webhook URLs with an unknown reputation based on threat intelligence sources.

Business impact: Webhooks with unknown reputations may indicate unauthorized or unverified integrations. They can expose information about code changes and environments. Failure to validate these webhooks increases the risk of data exposure and persistent access.

Purpose: Detects webhooks that are configured without a secret key for request validation.

Business impact: Webhooks without a secret key cannot verify the authenticity of incoming requests. Attackers may spoof webhook calls to trigger unauthorized actions or extract data. This weakens trust in CI/CD integrations and increases the risk of abuse.

Purpose: Detects webhooks that communicate over connections not secured with SSL/TLS.

Business impact: Unencrypted webhook traffic can be intercepted or modified in transit. Exposed data may include code or sensitive metadata. This increases the risk of data leakage and man-in-the-middle attacks.