Securing CI/CD: Complexity & Inspiration from runtime security

Growth of software supply chain attacks has propelled a deeper look into security of CI/CD. Build environments are prone to secrets/sensitive data exfiltration attacks.

Covering here, the learnings around building BOLT(https://github.com/koalalab-inc/bolt), an Open-source tool which secure CI runtime(For GitHub Actions).

Taking inspiration from Runtime security, enabling a firewall on buildtime/CI runtime(Egress-filter as CI is a traffic source) should be good start.
Complexity 1: IP-based rules won't work. A lot of internet traffic is behind CDNs/WAFs, so egress-filter will require domain-name based filtering.

Complexity 2: CI runtime has outbound traffic to multi-tenant systems like github/dockerhub/jfrog etc. This demands deep SSL based inspection capabilities in egress control.

Solution: TLS interception+eBPF
Linux kernel supports eBPF which provides a way to tap into SSL traffic without the need to decrypt traffic. Such a solution does not add any overhead for developers and is efficient.

Covering implementation complexity of eBPF probing for various different kind of SSL libraries to make the solution comprehensive for all kinds of CI pipelines.