CI/CD
CI/CD (Continuous Integration / Continuous Delivery) are software engineering practices involving continuous code integration and automated delivery of changes to production environments.
What is CI/CD?
CI/CD Definition
CI/CD combines two complementary software engineering practices:
-
CI (Continuous Integration) — the practice of regularly (at least several times daily) merging code changes into a shared repository, with automated tests and validations running after each commit.
-
CD (Continuous Delivery / Continuous Deployment) — automating the process of preparing and deploying code to test and production environments. Continuous Delivery means code is always ready for deployment (requires manual approval), while Continuous Deployment means full automation all the way to production.
CI/CD is the foundation of modern DevOps and DevSecOps approaches, enabling teams to deliver software quickly, repeatably, and securely.
How Does a CI/CD Pipeline Work?
A typical CI/CD pipeline consists of the following stages:
- Commit & Push — a developer pushes code changes to the repository (Git).
- Build — the system automatically compiles code, builds artifacts and container images.
- Test — unit tests, integration tests, and end-to-end tests are executed.
- Security Scan — static code analysis (SAST), dependency scanning (SCA), container scanning.
- Deploy to Staging — automated deployment to the test/staging environment.
- Acceptance Tests — acceptance tests, performance tests, dynamic security testing (DAST).
- Deploy to Production — deployment to production (automated or after manual approval).
- Monitoring — monitoring application behavior post-deployment.
Popular CI/CD Tools
| Tool | Type | Key Features |
|---|---|---|
| Jenkins | Self-hosted, open source | Flexible, huge plugin ecosystem |
| GitLab CI/CD | Integrated with GitLab | Complete DevOps platform |
| GitHub Actions | Cloud-native | Native GitHub integration |
| Azure DevOps | Cloud / hybrid | Full Microsoft ecosystem |
| ArgoCD | Kubernetes-native | GitOps for Kubernetes |
| CircleCI | Cloud-first | Speed, easy configuration |
CI/CD Pipeline Security
CI/CD pipelines are attractive attack targets because they have access to source code, secrets (API keys, credentials), and production environments. Key attack vectors:
- Poisoned pipeline execution — injecting malicious code into the pipeline (e.g., through a modified pull request).
- Secret leakage — secrets leaking through pipeline logs, environment variables, or artifacts.
- Dependency confusion — replacing dependencies with malicious packages of the same name.
- Supply chain attacks — compromising CI/CD tools or plugins.
- Insufficient access control — overly broad pipeline permissions to infrastructure.
Applications
- Faster software delivery — automation eliminates manual, error-prone processes.
- Improved code quality — continuous testing catches bugs early.
- DevSecOps — integrating security scans (SAST, DAST, SCA) into the pipeline.
- Infrastructure as Code — automated provisioning and configuration of infrastructure.
- Compliance — auditable, repeatable deployment process meeting regulatory requirements.
- Rollback — quick rollback of problematic deployments through artifact versioning.
Threats and Challenges
- Pipeline compromise — an attack on CI/CD can lead to malicious code injection into production.
- Secrets management — improper storage of credentials in pipelines is a common security mistake.
- Complexity — elaborate pipelines can be difficult to maintain and debug.
- Vendor lock-in — strong dependency on a specific CI/CD platform.
- Infrastructure cost — large projects require significant compute resources for building and testing.
- Flaky tests — unstable tests undermine trust in the pipeline and lead to result-ignoring.
Best Practices
- Implement Security as Code — define security policies as code, enforce them in the pipeline.
- Use dedicated secret managers (HashiCorp Vault, AWS Secrets Manager) — never hardcode credentials.
- Implement SAST, SCA, and container scanning as mandatory pipeline stages.
- Apply the principle of least privilege for pipeline service accounts.
- Deploy signed commits and protected branches — control who and what enters the pipeline.
- Monitor drift between repository code and production state.
- Log and audit all pipeline executions, configuration changes, and secret access.
- Deploy canary deployments or blue-green deployments for safe releases.
Related Terms
- DevSecOps - security integration in the DevOps process
- Secure Coding - secure code development practices
- IT Automation - IT process automation
- Containerization - running applications in containers
Explore Our Services
Need to secure your CI/CD pipeline? Check out:
- Security Audits - pipeline and infrastructure security audits
- Cloud - secure cloud infrastructure