owasp-cicd-top-10

OWASP Top 10 CI/CD Security Risks - prevention, detection, and remediation for pipeline security. Use when securing or reviewing CI/CD - flow control, IAM, dependency chain, poisoned pipeline execution, PBAC, credential hygiene, system config, third-party services, artifact integrity, logging and visibility.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "owasp-cicd-top-10" with this command: npx skills add yariv1025/skills/yariv1025-skills-owasp-cicd-top-10

OWASP Top 10 CI/CD Security Risks

This skill encodes the OWASP Top 10 CI/CD Security Risks for secure pipeline design and review. References are loaded per risk. Based on OWASP Top 10 CI/CD Security Risks 2022.

When to Read Which Reference

RiskRead
CICD-SEC-1 Insufficient Flow Controlreferences/cicd-sec-1-flow-control.md
CICD-SEC-2 Inadequate IAMreferences/cicd-sec-2-iam.md
CICD-SEC-3 Dependency Chain Abusereferences/cicd-sec-3-dependency-chain-abuse.md
CICD-SEC-4 Poisoned Pipeline Executionreferences/cicd-sec-4-poisoned-pipeline-execution.md
CICD-SEC-5 Insufficient PBACreferences/cicd-sec-5-pbac.md
CICD-SEC-6 Insufficient Credential Hygienereferences/cicd-sec-6-credential-hygiene.md
CICD-SEC-7 Insecure System Configurationreferences/cicd-sec-7-insecure-system-config.md
CICD-SEC-8 Ungoverned 3rd Party Servicesreferences/cicd-sec-8-third-party-services.md
CICD-SEC-9 Improper Artifact Integrity Validationreferences/cicd-sec-9-artifact-integrity.md
CICD-SEC-10 Insufficient Logging and Visibilityreferences/cicd-sec-10-logging-visibility.md

Quick Patterns

  • Enforce approval and branching for pipeline execution; apply least-privilege IAM. Verify dependency and artifact integrity; secure credentials; audit third-party usage; enable logging and alerting.

Quick Reference / Examples

TaskApproach
Protect main branchRequire PR reviews, signed commits, branch protection. See CICD-SEC-1.
Secure pipeline IAMLeast privilege, short-lived tokens, no shared creds. See CICD-SEC-2.
Verify dependenciesLock versions, audit, verify checksums. See CICD-SEC-3.
Protect credentialsUse secrets manager, rotate, never log. See CICD-SEC-6.
Sign artifactsSign images/packages, verify before deploy. See CICD-SEC-9.

Safe - GitHub branch protection:

# .github/settings.yml (or repo settings)
branches:
  - name: main
    protection:
      required_pull_request_reviews:
        required_approving_review_count: 1
      required_status_checks:
        strict: true

Safe - short-lived OIDC credentials (GitHub Actions):

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
      aws-region: us-east-1

Unsafe - long-lived secrets:

env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY }}  # Prefer OIDC over static keys

Workflow

Load the reference for the risk you are addressing. See OWASP Top 10 CI/CD Security Risks for the official list.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

owasp-api-security-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
7-yariv1025
Coding

agent-dev-guardrails

No summary provided by upstream source.

Repository SourceNeeds Review
8-yariv1025
General

owasp-iot-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025
General

owasp-mobile-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025