What is OWASP Top 10 CI CD

OWASP (Open Web Application Security Project) Top 10 list focuses primarily on web application security risks rather than CI/CD (Continuous Integration/Continuous Deployment) security risks.

Example of OWASP CI CD policies in SSD

• Prohibited use of unspecified package versions - Unspecified Package versions can results in fetching uncertified latest package versions. It should be mandatory to pull only specific version except for latest as artifacts and dependencies.

• Refrain from running pipelines originating from forked repos - Repositories should be protected based on 2FA authentication

• Untrusted Deployment via Configuration Drift - Pipeline configuration should be fetched only from trusted sources.

• Open to merge public repositories for code utilities - Dependency packages in code should not be open to merge publically.

Refer OWASP for more information.