Robbed secrets, code leaks, RCE (Remote Code Execution), ... are a few consequences of an insecure or badly configured CI. However, CI / CDs are often out of scope in pentests, and no one is responsible for securing them.

CI / CDs improved our code best practices, including security, and ways to enforce them by adding automated tools and standards in teams. However, they are part of the attack surface and must be secured, patched and verified with the same precautions as the code. Some default configurations are even dangerous and need to be changed!

In this talk, you'll discover how injections can be made in CI / CDs, how to extract secrets or execute scrips and the best ways to secure your pipelines.