Document Open Access Logo

Vulnerability Detection Across Different CI/CD Platforms

Authors Vasco Manuel Oliveira, Alberto Simões , Pedro Rangel Henriques

PDF HTML 5

Files

Thumbnail PDF
PDF
OASIcs.SLATE.2025.4.pdf
  • Filesize: 0.59 MB
  • 15 pages
HTML5 Logo HTML (experimental)
OASIcs.SLATE.2025.4.html

Document Identifiers

Subject Classification

ACM Subject Classification
  • Software and its engineering → Software verification and validation
Keywords
  • Software Supply Chain
  • Software Supply Chain Security
  • CI/CD Platforms

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

Abstract

In recent years, more attention has been paid to the security of the software supply chain (SSC). While at first SSC was just seen as the dependency of other libraries, today SSC is broader, considering all the environment where a software application is developed, from the actors, hardware and auxiliary tools.
This work focuses on a specific part of software supply chain security: the tools used for continuous integration and continuous deployment (CI/CD) and their vulnerabilities and risks. These tools are widely used by organizations to accelerate their software development, testing, and delivery, making any security issue present in these tools problematic for the organization. This is especially true given that most tools are open-source, making these tools the primary targets for exploits. 
We will present a quick introduction to SSCS and CI/CD and provide a practical solution to detect risks and vulnerabilities in CI/CD tools, emphasizing the modular approach, allowing the system to easily scale to detect new risks and vulnerabilities, as well as to support new CI/CD tools.

Cite As Get BibTex

Vasco Manuel Oliveira, Alberto Simões, and Pedro Rangel Henriques. Vulnerability Detection Across Different CI/CD Platforms. In 14th Symposium on Languages, Applications and Technologies (SLATE 2025). Open Access Series in Informatics (OASIcs), Volume 135, pp. 4:1-4:15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025) https://doi.org/10.4230/OASIcs.SLATE.2025.4

Author Details

Vasco Manuel Oliveira
  • Checkmarx, Braga, Portugal
  • ALGORITMI Research Centre/LASI, Dep. of Informatics, University of Minho, Braga, Portugal
Alberto Simões
  • Checkmarx, Braga, Portugal
  • 2Ai – School of Technology, IPCA, Barcelos, Portugal
  • LASI – Associate Laboratory of Intelligent Systems, Guimarães, Portugal
Pedro Rangel Henriques
  • ALGORITMI Research Centre / LASI, Dep. of Informatics, University of Minho, Braga, Portugal

Funding

  • Simões, Alberto: This work has been partly supported by Fundação para a Ciência e Tecnologia, under framework of the Strategic Fundings UIDB/05549/2020, UIDP/05549/2020 and LASI-LA/P/0104/2020.
  • Henriques, Pedro Rangel: This work has been supported by FCT – Fundação para a Ciência e Tecnologia within the R&D Unit Project Scope UID/00319/Centro ALGORITMI (ALGORITMI/UM)

References

  1. Kent Beck. Extreme Programming Explained: Embrace Change. XP series. Addison-Wesley Professional, illustrated edition, 2000. Google Scholar
  2. Microsoft Corporation. SARIF. URL: https://sarifweb.azurewebsites.net/.
  3. Clint Gibler and Francis Odum. An Overview of Software Supply Chain Security. https://tldrsec.com/p/supply-chain-security-overview, 2023.
  4. GitHub. GitHub actions, 2024. URL: https://github.com/features/actions.
  5. Red Hat. What is a CI/CD pipeline? https://www.redhat.com/en/topics/devops/what-cicd-pipeline, 2022.
  6. Senior Technical Content Marketing Manager Jacob Schmitt. Software supply chain: What it is and how to keep it secure. https://circleci.com/blog/secure-software-supply-chain/#what-is-the-software-supply-chain, 2023.
  7. Jenkins. Jenkins, 2024. URL: https://www.jenkins.io/.
  8. Jenkins. Jenkins plugins index. https://plugins.jenkins.io/, 2025.
  9. Legit Security. Software supply chain security, 2025. URL: https://www.legitsecurity.com/software-supply-chain-security.
  10. Jaroslav Lobačevski. Keeping your GitHub Actions and workflows secure: Preventing pwn requests. https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/, 2021.
  11. McKinsey & Company. What is supply chain? https://www.mckinsey.com/featured-insights/mckinsey-explainers/what-is-supply-chain, 2023.
  12. Open Source Security Foundation and Google. Supply-chain Levels for Software Artifacts (SLSA). https://slsa.dev, 2021. Accessed: 2025-04-28.
  13. Foundation OWASP. OWASP Top 10 CI/CD Security Risks. https://owasp.org/www-project-top-10-ci-cd-security-risks/#, 2022.
  14. OX Security. Ox security, 2025. URL: https://www.ox.security/.
  15. Sebastián Ramírez. Fastapi. https://fastapi.tiangolo.com/. Accessed: 2025-04-21.
  16. Pooya Rostami Mazrae, Tom Mens, Mehdi Golzadeh, and Alexandre Decan. On the usage, co-usage and migration of ci/cd tools: A qualitative analysis. Empirical Software Engineering, 28(52), 2023. URL: https://doi.org/10.1007/s10664-022-10285-5.
  17. Bhaskara Sahithi Shanmukhi. Implementing and using ci/cd: Addressing key challenges faced by software developers. International Journal of Scientific Research in Engineering and Management (IJSREM), 08(08), 2024. Google Scholar
  18. VirusTotal. YARA-X. https://virustotal.github.io/yara-x/, 2024.
Any Issues?
X

Feedback on the Current Page

CAPTCHA

Thanks for your feedback!

Feedback submitted to Dagstuhl Publishing

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact