How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Cicd Pipeline Security: cicd pipeline security for resilient delivery

Securing your CI/CD pipeline is all about weaving security practices and tools directly into your software delivery lifecycle. It’s a fundamental shift in mindset. You have to stop seeing your build and deployment automation as just a helpful tool and start treating it as a first-class production environment. This means it needs the same rigorous security controls, auditing, and proactive defence you'd apply to any other critical system to fend off supply chain attacks.

Why CI/CD Pipeline Security Is Not Negotiable

Diagram illustrating a CI/CD pipeline with vulnerabilities identified before secure deployment to production.

In modern software development, the CI/CD pipeline is the central nervous system. It automates everything, from a developer's code commit all the way to a live production deployment. While this speed is a massive advantage, it also creates a powerful, high-value target for attackers.

A single breach in your pipeline can give an adversary frightening levels of access. We’re talking source code, credentials, and even the power to inject their own malicious code directly into your software before it ever reaches your customers. This isn't just a theoretical risk anymore; it's a real and growing threat. The old idea of a secure perimeter is gone. Attackers now know that hitting the build system is often the quickest and most damaging way to get what they want, completely bypassing your hardened production defences.

A New Battlefield for Attackers

Think of your pipeline as a high-speed assembly line for your application. It’s constantly handling your most sensitive assets—uncompiled source code, API keys, database credentials, and infrastructure tokens. If that assembly line is compromised, everything it produces becomes tainted.

This reality demands a critical mindset shift. We can no longer afford to view the CI/CD pipeline as a mere developer convenience. It needs to be scrutinised with the same intensity as any other piece of critical infrastructure. Every single script, tool, and integration within that pipeline is a potential doorway for an attack.

"A compromised CI/CD pipeline is a supply chain attack waiting to happen. It offers attackers a trusted, automated path to inject vulnerabilities, steal credentials, and distribute malicious code to your customers without ever breaching your production servers."

The Data Proves the Danger

The security of CI/CD pipelines has become a major headache for organisations across the UK. Recent research paints a pretty stark picture: over 20% of organisations were hit by a CI/CD pipeline security incident in the last year alone. What’s more, an alarming 57% of organisations had incidents related to exposed secrets within the past two years.

These numbers tell a clear story: build systems have become an attacker's favourite shortcut to production secrets. This escalating threat is precisely why the UK's National Cyber Security Centre explicitly calls for securing 'the build and deployment pipeline', stressing the need for trusted tools and automated security checks. If you're interested in learning more, you can discover some great insights about DevSecOps for UK businesses on storminternet.co.uk.

Understanding the Core Vulnerabilities

Several common weak spots make pipelines such inviting targets. Without the right controls in place, these vulnerabilities are just waiting to be exploited.

Exposed Secrets: Hardcoded API keys, passwords, or tokens left in build scripts or environment variables are the lowest-hanging fruit for any attacker who gets a foothold.
Insecure Build Runners: A poorly configured or unpatched build agent can be compromised, giving an attacker a launchpad to move laterally across your infrastructure.
Dependency Poisoning: Malicious packages pulled in from public repositories can execute arbitrary code during the build, compromising the entire pipeline from within.
Lax Access Controls: If access rights are too permissive, a single compromised developer account could be all an attacker needs to alter build configurations and inject malicious steps.

Ignoring these issues turns your engine of innovation into your biggest liability. In the sections that follow, we'll walk through a practical, hands-on guide to transform your pipeline from a target into a fortress.

It’s one thing to talk about CI/CD security in theory, but it’s another thing entirely to see what happens when it goes wrong in the real world. When you dissect how attackers have actually broken into pipelines, the theoretical risks suddenly become very real, offering powerful lessons for every development team.

These incidents aren't just spooky stories; they're blueprints of what to avoid. They show us the specific weak spots—from a dodgy build tool to a subtle cloud misconfiguration—that can blow up into massive supply chain attacks, hitting thousands of customers down the line. By getting to grips with how these breaches happened, we can build a rock-solid case for locking down our own pipelines.

The SolarWinds Supply Chain Catastrophe

The SolarWinds attack is the textbook example of how to infiltrate a pipeline. The attackers didn't just smash through the front door of SolarWinds' production servers. They were far more patient. They methodically worked their way into the internal build system for the Orion network monitoring software.

Once inside the CI/CD environment, they slipped a tiny, malicious backdoor into the software right at the compilation stage. This tampered update was then digitally signed with a completely valid SolarWinds certificate and shipped out to thousands of customers who had no reason to suspect a thing. The pipeline itself became a trusted delivery mechanism for malware, making the attack almost impossible to spot.

The big takeaway from SolarWinds? The integrity of your build process is everything. If an attacker can change your code before it gets signed and packaged, all the security checks you do later are useless. Your pipeline has to be a fortress.

Codecov and the Peril of Exposed Credentials

The Codecov breach shines a light on another critical blind spot: the tools you trust within your pipeline. Here, the attackers didn't go after Codecov’s main application. Instead, they altered a single Docker image uploader script—a tiny cog in their CI machine.

This malicious script was cleverly designed to sniff out environment variables in any CI/CD pipeline that ran the Codecov tool. It hoovered up API keys, database connection strings, and service tokens from Codecov's customers and quietly sent them off to an external server. A single compromised tool poisoned the well for countless other organisations, showing just how much we rely on the security of our dependencies.

Capital One's Costly Misconfiguration

While not a direct code injection, the Capital One breach is a stark reminder that pipeline security doesn't end with your code. The attacker found a way in through a misconfigured web application firewall, which in turn gave them credentials to access data sitting in Amazon S3 buckets.

The real damage was done by an IAM role with far too many permissions—a role likely used by a pipeline process. This allowed the attacker to list and steal data from over 100 million customer accounts. It’s proof that security has to cover the entire infrastructure your pipeline touches. The principle of least privilege isn't just a nice idea; it's a non-negotiable line of defence.

These real-world examples show just how devastating a CI/CD vulnerability can be. The SolarWinds, Codecov, and Capital One breaches are powerful case studies, each highlighting a different attack vector but all pointing to the same conclusion. You can dive deeper into CI/CD security best practices for DevSecOps teams at squareops.com. Each incident hammers home the need for strict access controls, short-lived credentials, and an unwavering commitment to the principle of least privilege.

Your Prioritised Pipeline Security Checklist

Securing an entire CI/CD pipeline can feel like a huge, sprawling project. Where do you even begin? The key is to stop trying to do everything at once and instead focus your efforts on the areas that attackers exploit most often. This checklist is all about tackling the biggest risks first.

Think of it as building layers of defence, starting with the most critical foundations.

Flowchart illustrating CI/CD security process steps: access control, harden runners, and manage secrets.

Starting with strict access control, then hardening the execution environment, and finally securing credentials, creates a solid security posture against the most common attacks. Let's break down what this means in practice.

Before we dive into the details, here's a quick overview of where you should be focusing your energy first.

CI/CD Security Priorities At a Glance

This table summarises the top-tier controls, what they protect you from, and how urgently you should be implementing them.

Getting the "High" priority items right will give you the most significant security uplift for your time invested. Now, let’s explore the top three in more detail.

Lock Down Access with the Principle of Least Privilege

This is your single most powerful security lever. The principle of least privilege means that every single user, service, or build job should have the absolute minimum permissions needed to do its job—and not a single permission more. Over-generous access is an open invitation for an attacker to move around your systems.

In fact, research into pipeline security vulnerabilities found that poor access control is one of the most common issues plaguing UK organisations. The study, which identified 25 distinct threats, also noted that organisations with clear configuration docs and change histories saw 50% fewer incidents. It's a clear signal that version-controlling your pipeline permissions is a game-changer. You can dig into the full research on CI/CD pipeline threats for a deeper risk analysis.

Start by auditing who and what has access to your pipelines.

Job-Specific Tokens: Use temporary, short-lived tokens that are scoped to a single pipeline job. Never use one powerful, long-lived credential for everything.
Branch Protection Rules: Protect your main and release branches. Mandate pull request reviews and status checks before any code can be merged. This stops unauthorised changes to critical pipeline files like Jenkinsfile or .github/workflows/.
Separate Permissions: If a job only needs to build code, it should never have permission to deploy to production. Break your pipeline into distinct stages and assign tight, granular permissions for each one.

Harden Your Build Runners

Your build runners—the machines or containers where your jobs actually run—are juicy targets. If an attacker compromises one, they can potentially steal secrets from memory, tamper with your software, or use it as a launchpad to attack other parts of your network.

You need to start treating your runners as disposable assets, not as precious servers.

Treat your build environment as hostile territory. Every job should run in a clean, isolated environment that is torn down immediately after completion. This drastically reduces the window of opportunity for an attacker to establish a foothold.

Here's how to harden them effectively:

Use Ephemeral Runners: Configure your CI system to spin up a fresh runner for every single job and destroy it the moment the job finishes. This simple step prevents malware or a compromised state from carrying over to the next build.
Minimalist Base Images: Your runner images should be stripped down to the bare essentials. Don't install curl, git, and every other tool under the sun "just in case." A smaller attack surface means fewer things to exploit.
Disable Direct Runner Access: There is almost no good reason for a developer to SSH directly into a build runner. All interactions should happen through the CI/CD platform itself.

Master Your Secrets Management

Hardcoded secrets are one of the most common—and entirely avoidable—security blunders. Things like API keys, database passwords, and private certificates have no business being in your source code, config files, or even environment variables in plaintext.

Using a centralised secrets management tool isn't a "nice-to-have"; it's a fundamental requirement.

Use a Secrets Vault: Integrate a dedicated secrets manager like HashiCorp Vault, AWS Secrets Manager, or Google Secret Manager. Your pipeline should fetch credentials from the vault at runtime, just before they're needed.
Inject Secrets Dynamically: The CI/CD system must securely inject these secrets into the build environment for the specific step that needs them. Critically, make sure they are never, ever printed to the logs.
Rotate Credentials Regularly: Automate the rotation of all your secrets. If a credential does get leaked, this practice ensures its lifespan is incredibly short, massively limiting the potential damage.

By prioritising these three core areas—access control, runner hardening, and secrets management—you're tackling the highest-risk vulnerabilities head-on. For a deeper look at integrating these controls, check out our guide on embedding security throughout the software development lifecycle. This structured approach helps you build a strong security foundation layer by layer, creating a truly resilient pipeline.

5. Automate Security with Modern Scanning Tools

Let's be honest, manual security reviews just can't keep up anymore. In a world of rapid development cycles, they're a guaranteed bottleneck. They slow down releases, and worse, they can easily miss the subtle misconfigurations that lead to major breaches. This is where true DevSecOps shines—by embedding automated security checks directly into your workflow.

The whole point is to give developers immediate feedback when and where it matters most: right inside their pull request. This isn't about replacing your security team; it's about making them more effective. When automation catches the low-hanging fruit, your security experts are freed up to hunt for more complex threats, like tricky business logic flaws.

The Core Types of Automated Security Scanning

To build a genuinely resilient pipeline, you need a mix of different scanning tools. Think of it as building a layered defence, where each tool provides a unique view of your application's security.

Static Application Security Testing (SAST): These are your code-level detectives. SAST tools scan your source code without running it, looking for well-known vulnerability patterns like SQL injection, hardcoded secrets, or dangerous function calls. They're perfect for running on every single commit because they're fast and catch issues right at the source.
Software Composition Analysis (SCA): Almost all modern applications are built on a mountain of open-source packages. SCA tools are essential for managing this. They scan your dependencies, cross-reference them with databases of known vulnerabilities (CVEs), and flag any risky libraries. A single compromised package can trigger a massive supply chain attack, so this is non-negotiable.
Dynamic Application Security Testing (DAST): While SAST looks from the inside out, DAST does the opposite. It tests your running application from an attacker's perspective, actively probing for vulnerabilities like Cross-Site Scripting (XSS) or insecure server configurations. You'll typically run DAST later in the pipeline, against a staging or test environment.

The real magic happens when you layer these tools together. SAST cleans up your own code, SCA secures the third-party code you rely on, and DAST validates the security of the final, running application. It’s a comprehensive approach.

Integrating a Scanner: A Practical Example

Enough theory. Let's walk through a real-world scenario. Say you're building with Supabase or Firebase and want to make sure no dangerous configurations are merged into your main branch. This is the perfect job for an infrastructure-aware scanner like AuditYour.App. It’s designed to check for things like overly permissive database rules, exposed Remote Procedure Calls (RPCs), or secrets you've accidentally left in your frontend code.

The best place to run a scan like this is on every single pull request. It creates a tight feedback loop, stopping vulnerabilities dead in their tracks before they ever get a chance to be merged.

Here’s a simple but powerful way to automate this with GitHub Actions:

name: Run AuditYour.App Security Scan uses: audityour-app/github-action@v1 with: project-url: ${{ secrets.AYAP_PROJECT_URL }} api-key: ${{ secrets.AYAP_API_KEY }}
Fail the build if any high-severity issues are found
fail-on-severity: 'high'

This small block of YAML is doing some serious work. It calls the official GitHub Action, pulls credentials securely from GitHub Secrets, and kicks off a full scan. The most important line is fail-on-severity: 'high'. This tells your CI pipeline to fail the build if the scan finds any high-priority issues. It’s a hard gate that prevents the deployment from continuing until the problem is fixed.

You can see below how the results pop up right inside the pull request, giving the developer clear, actionable feedback without them ever having to leave GitHub.

This simple integration transforms security from a periodic, manual task into an automatic, unavoidable quality gate for every single change.

From Finding Issues to Preventing Them

Just detecting vulnerabilities is only half the battle. The real goal is prevention, and that's where failing the build on a critical finding becomes so powerful. It fundamentally shifts security from an afterthought to a core requirement for any code to be considered "done".

Imagine a developer accidentally commits a Supabase service key. Here's how the automated workflow saves the day:

The developer opens a new pull request.
The GitHub Actions workflow triggers instantly.
The AuditYour.App scanner gets to work, analysing the code changes.
It immediately spots the exposed key and reports a high-severity finding.
Thanks to the fail-on-severity rule, the CI job fails.
The PR is automatically blocked from being merged, and the developer gets a notification explaining exactly what’s wrong and how to fix it.

This immediate feedback loop is what DevSecOps is all about. The vulnerability is caught and fixed in minutes, not months. It's infinitely cheaper and safer than finding that same secret in production after it's already been compromised.

If you want to go deeper, we cover more practical steps in our complete automated security scanning guide. By weaving these automated checks into your pipeline, you’re not just shipping software—you’re actively hardening it with every single commit.

Establishing Pipeline Monitoring and Incident Response

Diagram illustrates a security incident response workflow: alert, engineer, responder, manager, and IR plan.

Even with the best defences in place, you have to work on the assumption that a breach isn’t a matter of if, but when. Your ability to spot an incident, respond, and recover is every bit as important as preventing one in the first place. A solid CI/CD pipeline security posture is incomplete without robust monitoring and a well-rehearsed incident response plan.

Without proper visibility, you're essentially flying blind. Malicious activity, like the kind seen in the reviewdog breach where secrets were simply printed to build logs, could easily go unnoticed for weeks or even months. This is where comprehensive logging becomes your first line of detection.

Building Your Pipeline's Sentry

Effective monitoring starts with knowing what to look for. You need to collect logs that can tell a clear story, helping you distinguish between normal developer activity and the subtle signs of a compromise. Think of it as setting up a CCTV system for your entire software delivery process.

Your logging strategy should capture several critical event types:

Pipeline Executions: Log every start, stop, success, and failure. Make sure to include details like the user who triggered it, the specific commit hash, and the branch involved.
Configuration Changes: Any modification to a pipeline file (e.g., .github/workflows/, Jenkinsfile) is a high-stakes event. These changes must be logged and trigger an immediate alert.
Permission Updates: Record any changes to user access, roles, or secret management policies. An unexpected privilege escalation is a massive red flag.
Build Runner Activity: Keep an eye on unusual network connections or file system changes on your runners. If a build job suddenly tries to phone home to an external server, it should be treated as suspicious.

Remember, the goal of monitoring isn't just to hoard data; it's to generate actionable alerts. A flood of meaningless notifications only leads to alert fatigue, causing your team to ignore the one that actually matters.

Crafting a Pragmatic Incident Response Plan

When an alert fires at 2 AM, the last thing you want is a team scrambling to figure out who does what. An incident response (IR) plan is your pre-written playbook for managing chaos. It doesn't need to be a hundred-page document; a simple, clear plan is far more effective. For a deeper dive, you can learn more about the principles of effective cloud security monitoring in our related article.

A focused IR plan for pipeline security needs to clearly define a few core elements.

Roles and Responsibilities

Who's in charge? You need to clearly outline the key players and what they are expected to do during an incident.

Incident Commander: The single point of contact who leads the response, coordinates all communication, and makes the tough calls.
Technical Lead: The hands-on expert responsible for digging into the breach, containing the threat, and performing any necessary forensics.
Communications Lead: Manages updates to internal stakeholders (and potentially external customers) to prevent misinformation from spreading.

Communication Channels

Establish a dedicated channel just for incident response, like a specific Slack channel or a conference bridge. This ensures all communication is centralised and crucial information doesn't get lost in day-to-day chatter.

Containment and Recovery Playbooks

Develop simple, step-by-step playbooks for the most likely scenarios.

Leaked Credential: How do you revoke the key, identify every place it was used, and rotate it across all systems?
Compromised Runner: What's the process for isolating the runner, preserving it for forensic analysis, and ensuring no other part of the system was affected?
Malicious Code Injected: How do you pinpoint the tampered artefact, halt all deployments, and roll back to a known-good version?

Finally, a plan is useless if it just sits on a shelf. Run regular tabletop exercises where you walk through a hypothetical breach scenario. These drills build muscle memory, reveal gaps in your plan, and ensure your team is ready to act decisively when a real incident occurs.

Got Questions About CI/CD Pipeline Security?

When teams start digging into securing their CI/CD pipelines, a lot of the same questions pop up. Where do we even begin? Which tools are actually worth the effort? And how do we do this without grinding our development to a halt?

Let’s tackle some of the most common questions I hear from teams on the ground.

Where Should I Start? What’s the Most Important First Step?

If you do only one thing, get a handle on secrets management. It's the absolute cornerstone. A shocking number of pipeline breaches, like the one that hit reviewdog, happen because credentials get mishandled—leaked in logs, committed to source code, or snatched from a runner’s memory. You can’t build a secure house on a foundation of exposed keys.

Before you touch anything else, take a hard look at how your pipeline deals with credentials.

Are secrets hardcoded anywhere in your scripts or source?
Are you just stuffing them into plaintext environment variables?
Have you centralised them in a proper vault, like HashiCorp Vault or AWS Secrets Manager?

Your immediate goal should be to eradicate long-lived, static credentials. Move towards a model where you use short-lived tokens that are fetched dynamically, just-in-time for a specific job, and expire the moment they're no longer needed. This single change massively shrinks your attack surface.

How Do I Secure My Pipeline Without Annoying My Developers?

This is a classic fear, but it’s a false dilemma. Good pipeline security doesn’t have to be a drag on productivity. The whole point of modern DevSecOps is to make security a seamless part of the workflow, not a roadblock. The magic ingredients here are automation and developer-centric feedback.

Forget about security reviews that act as a bottleneck right before a release. Instead, you want to embed automated scanners right into the pull request process.

Security should feel less like a gatekeeper and more like a helpful linter. When a tool gives immediate, clear, and actionable feedback inside a pull request—explaining what’s wrong and how to fix it—developers see it as a helpful tool, not a hindrance.

Think about it: a scanner that flags an overly permissive database rule and suggests the correct, secure code snippet is actually saving the developer time and effort. That's the goal.

SAST vs. SCA vs. DAST: What Do I Actually Need?

It's not an either/or situation; they each solve a different part of the security puzzle.

Software Composition Analysis (SCA): This is your non-negotiable, must-have tool. Malicious dependencies, like the recent Sha1-Hulud NPM worm, are a huge attack vector. An SCA tool simply scans your open-source packages for known vulnerabilities. You have to know what you’re shipping.
Static Application Security Testing (SAST): This is your first line of defence for the code you write yourself. SAST tools analyse your source code for common bugs and security flaws before it’s ever compiled or run.
Dynamic Application Security Testing (DAST): This tests your application while it's actually running. It’s a great way to find issues that only appear at runtime, but it typically happens much later in the pipeline.

If you’re just getting started and have to prioritise, focus on SCA and SAST first. These two give you the most bang for your buck early in the development cycle. They shift security left, helping you catch problems when they are far cheaper and easier to fix.

Ready to stop critical misconfigurations before they reach production? AuditYour.App acts like an automated red team for your modern stack, finding vulnerabilities in your Supabase or Firebase projects in minutes. Get your first scan and start shipping with confidence today.